diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
index 0faf8fb1ac..0e1191fcb0 100644
--- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
index 723fc0f57b..08dfb21c7a 100644
--- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File and Directory Permissions Modification"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Python Offensive Tools and Packages, Aspnet Compiler, Sysprep On AppData Folder, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SSH Tunnel Traffic, Netsh Port Forwarding, SSH X11 Forwarding"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Linux Binary Masquerading"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CMSTP Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Elise Backdoor, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Aspnet Compiler"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Empire Monkey Activity, xWizard Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CMSTP Execution, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, SSH Tunnel Traffic, Exfiltration And Tunneling Tools Execution, SSH X11 Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
index 01672aae38..1495b2d345 100644
--- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
index 2190a69645..fc52b11221 100644
--- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Tampering Detected, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Microsoft Defender Antivirus Threat Detected, Python Offensive Tools and Packages, Microsoft Office Creating Suspicious File, Aspnet Compiler, Sysprep On AppData Folder, PowerShell Malicious Nishang PowerShell Commandlets, WithSecure Elements Critical Severity, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, WithSecure Elements Critical Severity, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, WithSecure Elements Critical Severity, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Exfiltration Via Pscp"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, MavInject Process Injection, Suspicious Control Process, CertOC Loading Dll, Suspicious Taskkill Command, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Download Files From Non-Legitimate TLDs, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, WithSecure Elements Critical Severity, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Aspnet Compiler"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, WithSecure Elements Critical Severity, SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs, Sysmon Windows File Block Executable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Control Panel Items, Mshta JavaScript Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
index 92673e49aa..62a8d6b67d 100644
--- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Microsoft Defender XDR Alert, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Interactive Terminal Spawned via Python, Venom Multi-hop Proxy agent detection, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Socat Relaying Socket, Python Offensive Tools and Packages, Aspnet Compiler, Microsoft Office Spawning Script, Sysprep On AppData Folder, QakBot Process Creation, Microsoft Defender XDR Cloud App Security Alert, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender XDR Endpoint Alert, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Microsoft Defender XDR Office 365 Alert, Socat Reverse Shell Detection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, SELinux Disabling, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Explorer Wrong Parent"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender XDR Endpoint Alert, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Microsoft Defender XDR Cloud App Security Alert, Cobalt Strike Default Beacons Names, Winword Document Droppers, Microsoft Defender XDR Alert, Microsoft Defender XDR Office 365 Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender XDR Endpoint Alert, Wininit Wrong Parent, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Winrshost Wrong Parent, PsExec Process, Windows Update LolBins, Winword wrong parent, Suspicious DNS Child Process, Microsoft Defender XDR Cloud App Security Alert, SolarWinds Wrong Child Process, Microsoft Defender XDR Alert, Usage Of Procdump With Common Arguments, Microsoft Defender XDR Office 365 Alert, Exfiltration Via Pscp"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Python HTTP Server, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, MOFComp Execution, MavInject Process Injection, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wininit Wrong Parent, Winrshost Wrong Parent, Winword wrong parent, New Service Creation, SolarWinds Wrong Child Process, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wininit Wrong Parent, Winrshost Wrong Parent, Winword wrong parent, New Service Creation, SolarWinds Wrong Child Process, Explorer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wininit Wrong Parent, Usage Of Sysinternals Tools, Winrshost Wrong Parent, PsExec Process, Winword wrong parent, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Defender XDR Alert, Winword Document Droppers, Microsoft Defender XDR Cloud App Security Alert, Cobalt Strike Default Beacons Names, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Microsoft Defender XDR Endpoint Alert, Microsoft Defender XDR Office 365 Alert, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender XDR Alert, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, Microsoft Defender XDR Office 365 Alert, Interactive Terminal Spawned via Python, Socat Reverse Shell Detection, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender XDR Cloud App Security Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Spawning Script, Microsoft Defender XDR Endpoint Alert, Python Offensive Tools and Packages, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Socat Relaying Socket, Mshta Suspicious Child Process, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Suspicious Outlook Child Process, Suspicious Taskkill Command, Aspnet Compiler"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Windows Update LolBins, Microsoft Defender XDR Alert, Microsoft Defender XDR Cloud App Security Alert, Microsoft Defender XDR Endpoint Alert, SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp, Winrshost Wrong Parent, Microsoft Defender XDR Office 365 Alert, SolarWinds Wrong Child Process, Winword wrong parent, Usage Of Sysinternals Tools, Wininit Wrong Parent, Suspicious DNS Child Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Suspicious Driver Loaded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, SELinux Disabling, Suspicious Driver Loaded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled Service"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, MOFComp Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Winword wrong parent, Wininit Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Winword wrong parent, Wininit Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Winword wrong parent, Usage Of Sysinternals Tools, Wininit Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Leviathan Registry Key Activity, Autorun Keys Modification, Kernel Module Alteration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
index 9aa5cdfd94..5fcd0f3474 100644
--- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
index dfe4b0476b..fae2c15b04 100644
--- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Trend Micro Apex One Data Loss Prevention Alert, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Trend Micro Apex One Malware Alert, Elise Backdoor, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Python Offensive Tools and Packages, Microsoft Office Creating Suspicious File, Aspnet Compiler, Sysprep On AppData Folder, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Trend Micro Apex One Data Loss Prevention Alert, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Trend Micro Apex One Malware Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Apex One Data Loss Prevention Alert, SolarWinds Suspicious File Creation, PsExec Process, Trend Micro Apex One Malware Alert, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CMSTP Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Trend Micro Apex One Malware Alert, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Trend Micro Apex One Malware Alert, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Elise Backdoor, Suspicious PowerShell Invocations - Specific, Trend Micro Apex One Data Loss Prevention Alert, PowerShell Download From URL, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Aspnet Compiler"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Trend Micro Apex One Malware Alert, SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Empire Monkey Activity, xWizard Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CMSTP Execution, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
index efa0a7af56..ea29a28200 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Netsh RDP Port Forwarding, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, SentinelOne EDR SSO User Added, SentinelOne EDR Malicious Threat Not Mitigated, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, SentinelOne EDR User Failed To Log In To The Management Console, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), Suspicious Cmd.exe Command Line, SentinelOne EDR Threat Detected (Malicious), Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Custom Rule Alert, Default Encoding To UTF-8 PowerShell, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Agent Disabled, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Logged In To The Management Console, Download Files From Suspicious TLDs, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR User Failed To Log In To The Management Console, MS Office Product Spawning Exe in User Dir, SentinelOne EDR SSO User Added, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Detected (Suspicious)"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR SSO User Added, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Custom Rule Alert, SolarWinds Wrong Child Process, SentinelOne EDR Malicious Threat Not Mitigated, Usage Of Procdump With Common Arguments, SentinelOne EDR Threat Detected (Suspicious)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, CMSTP UAC Bypass via COM Object Access, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Logged In To The Management Console, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Threat Detected (Suspicious), Download Files From Suspicious TLDs, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Quarantine Success, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR SSO User Added, SentinelOne EDR User Failed To Log In To The Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR Agent Disabled, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Remediate Success, Phorpiex DriveMgr Command, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Threat Detected (Suspicious), SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR SSO User Added, SentinelOne EDR User Failed To Log In To The Management Console, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, SentinelOne EDR Threat Mitigation Report Kill Success, Linux Bash Reverse Shell, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Quarantine Success, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SentinelOne EDR Malicious Threat Not Mitigated, PowerShell EncodedCommand, SentinelOne EDR Threat Mitigation Report Quarantine Failed, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, SentinelOne EDR User Logged In To The Management Console, Suspicious Taskkill Command"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), SolarWinds Wrong Child Process, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR SSO User Added, SentinelOne EDR User Failed To Log In To The Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
index 2645deb442..60d8e8c734 100644
--- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
index 4154c60e83..dd69501cd5 100644
--- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Explorer Wrong Parent"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Aspnet Compiler, Microsoft Office Spawning Script, Sysprep On AppData Folder, QakBot Process Creation, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Cron Files Alteration, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, MOFComp Execution, MavInject Process Injection, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Winword wrong parent, Explorer Wrong Parent, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Winword wrong parent, Explorer Wrong Parent, New Service Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Winword wrong parent, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Windows Update LolBins, Winword wrong parent, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Spawning Script, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Mshta Suspicious Child Process, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Outlook Child Process, Suspicious Taskkill Command, Aspnet Compiler"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, MOFComp Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Suspicious Outlook Child Process, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Wrong Child Process, Winword wrong parent, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Windows Update LolBins, PsExec Process, Exfiltration Via Pscp, SolarWinds Wrong Child Process, Winword wrong parent, Suspicious DNS Child Process"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
index c921c38464..ea597762f2 100644
--- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, AMSI Deactivation Using Registry Key, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Venom Multi-hop Proxy agent detection, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json
index c3fe1fec25..76fc4761fb 100644
--- a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
index 596f106d7f..0e1b5fda00 100644
--- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
index 4036300a97..d0ef8e138c 100644
--- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Browser"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Browser"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Token Issuer Anomaly"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Token Issuer Anomaly"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
index 83a44ef13f..6e1ccfbf16 100644
--- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
index b6a3dacb05..b5ac992192 100644
--- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
index de88d3d92a..68e6195c36 100644
--- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, CrowdStrike Falcon Identity Protection Detection High Severity, Bloodhound and Sharphound Tools Usage, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, CrowdStrike Falcon Identity Protection Detection Critical Severity, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, CrowdStrike Falcon Identity Protection Detection Low Severity, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, Powershell Web Request, Python Offensive Tools and Packages, Aspnet Compiler, Microsoft Office Spawning Script, Sysprep On AppData Folder, QakBot Process Creation, CrowdStrike Falcon Intrusion Detection Informational Severity, Trickbot Malware Activity, PowerShell Malicious Nishang PowerShell Commandlets, CrowdStrike Falcon Intrusion Detection Low Severity, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, CrowdStrike Falcon Intrusion Detection, PowerShell Download From URL, CrowdStrike Falcon Intrusion Detection Critical Severity, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, CrowdStrike Falcon Intrusion Detection Medium Severity, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, CrowdStrike Falcon Intrusion Detection High Severity"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, CrowdStrike Falcon Identity Protection Detection High Severity, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Identity Protection Detection Critical Severity, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Identity Protection Detection Low Severity, Explorer Process Executing HTA File, Winword Document Droppers, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Critical Severity, Exploit For CVE-2015-1641, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection High Severity"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, CrowdStrike Falcon Identity Protection Detection High Severity, PsExec Process, Windows Update LolBins, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, CrowdStrike Falcon Identity Protection Detection Critical Severity, Csrss Wrong Parent, CrowdStrike Falcon Identity Protection Detection Low Severity, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Low Severity, Usage Of Procdump With Common Arguments, Csrss Child Found, CrowdStrike Falcon Intrusion Detection, Wininit Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, CrowdStrike Falcon Intrusion Detection Critical Severity, Wsmprovhost Wrong Parent, Smss Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, CrowdStrike Falcon Intrusion Detection High Severity, Exfiltration Via Pscp"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Mshta Execution, MOFComp Execution, MavInject Process Injection, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, New Service Creation, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, New Service Creation, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, PsExec Process, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Identity Protection Detection Informational Severity, IcedID Execution Using Excel, CrowdStrike Falcon Intrusion Detection Informational Severity, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, Winword Document Droppers, CrowdStrike Falcon Identity Protection Detection High Severity, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, CrowdStrike Falcon Intrusion Detection High Severity, Explorer Process Executing HTA File, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, CrowdStrike Falcon Intrusion Detection Medium Severity, Sysprep On AppData Folder, Suspicious Windows Script Execution, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Identity Protection Detection Informational Severity, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, CrowdStrike Falcon Intrusion Detection Informational Severity, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, Python Offensive Tools and Packages, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Mshta Suspicious Child Process, Elise Backdoor, Suspicious PowerShell Invocations - Specific, CrowdStrike Falcon Identity Protection Detection High Severity, PowerShell Download From URL, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, CrowdStrike Falcon Intrusion Detection High Severity, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Outlook Child Process, Suspicious Taskkill Command, Trickbot Malware Activity, Aspnet Compiler"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, CrowdStrike Falcon Intrusion Detection Medium Severity, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Identity Protection Detection Informational Severity, Csrss Wrong Parent, Csrss Child Found, CrowdStrike Falcon Intrusion Detection Informational Severity, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Exfiltration Via Pscp, CrowdStrike Falcon Identity Protection Detection Low Severity, Userinit Wrong Parent, CrowdStrike Falcon Intrusion Detection, Suspicious DNS Child Process, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, CrowdStrike Falcon Identity Protection Detection High Severity, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity, Windows Update LolBins, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Suspicious DNS Child Process, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
index 031420a8f4..d892fed2f6 100644
--- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
index 5a704436dc..62782cef8f 100644
--- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SSH Tunnel Traffic, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SSH X11 Forwarding"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Registry Key Used By Some Old Agent Tesla Samples, Svchost Modification, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Autorun Keys Modification, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Spawning Script, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Level Rule Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Cobalt Strike Default Beacons Names, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Spawning Script, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Level Rule Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Exploit For CVE-2015-1641"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension, Cisco Umbrella Threat Detected, Suspicious Outlook Child Process"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Suspicious LDAP-Attributes Used, Sliver DNS Beaconing, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Chafer (APT 39) Activity"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205, Suspicious DNS Child Process"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, Putty Sessions Listing, SysKey Registry Keys Access"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, Lsass Access Through WinRM, Lateral Movement - Remote Named Pipe, Admin Share Access, Protected Storage Service Access, Cobalt Strike Default Service Creation Usage, MMC Spawning Windows Shell, RDP Port Change Using Powershell, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, MMC20 Lateral Movement"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, User Added to Local Administrators"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Active Directory Database Dump Via Ntdsutil, LSASS Access From Non System Account, Cred Dump Tools Dropped Files, LSASS Memory Dump, NTDS.dit File Interaction Through Command Line, Mimikatz Basic Commands, Credential Dumping-Tools Common Named Pipes, Unsigned Image Loaded Into LSASS Process, HackTools Suspicious Process Names In Command Line, Suspicious SAM Dump, Rubeus Tool Command-line, Credential Dumping By LaZagne, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution, Process Memory Dump Using Comsvcs, Impacket Secretsdump.py Tool, LSASS Memory Dump File Creation, Active Directory Replication from Non Machine Account, SAM Registry Hive Handle Request, Malicious Service Installations, DCSync Attack, Windows Credential Editor Registry Key, RedMimicry Winnti Playbook Dropped File, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Load Of dbghelp/dbgcore DLL From Suspicious Process, Wdigest Enable UseLogonCredential, NTDS.dit File In Suspicious Directory, Lsass Access Through WinRM, Transfering Files With Credential Data Via Network Shares, Password Dumper Activity On LSASS, Mimikatz LSASS Memory Access, Copying Sensitive Files With Credential Data, Dumpert LSASS Process Dumper, NetNTLM Downgrade Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Execution From Suspicious Folder, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, New Or Renamed User Account With '$' In Attribute 'SamAccountName', RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, Alternate PowerShell Hosts Pipe, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Bloodhound and Sharphound Tools Usage, Invoke-TheHash Commandlets, In-memory PowerShell, WMI DLL Loaded Via Office, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, PowerShell Credential Prompt, Detection of default Mimikatz banner, Suspicious DLL Loaded Via Office Applications, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Venom Multi-hop Proxy agent detection, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Microsoft Defender Antivirus Threat Detected, PowerShell - NTFS Alternate Data Stream, Microsoft Office Creating Suspicious File, Aspnet Compiler, Suspicious Scripting In A WMI Consumer, Mustang Panda Dropper, Microsoft Office Spawning Script, Sysprep On AppData Folder, QakBot Process Creation, Malspam Execution Registering Malicious DLL, WMImplant Hack Tool, Trickbot Malware Activity, PowerShell Malicious Nishang PowerShell Commandlets, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Turla Named Pipes, Suspicious CodePage Switch with CHCP, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Debugging Software Deactivation, Disabled IE Security Features, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Exclusion Configuration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Ryuk Ransomware Command Line, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetNTLM Downgrade Attack"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Powershell AMSI Bypass, Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Exclusion Configuration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash, Suspect Svchost Memory Access, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Dism Disabling Windows Defender, Python Opening Ports, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Ryuk Ransomware Command Line, TrustedInstaller Impersonation, Microsoft Defender Antivirus Tampering Detected, Windows Defender Deactivation Using PowerShell Script, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Disable Security Events Logging Adding Reg Key MiniNt, ETW Tampering, Windows Firewall Changes, NetNTLM Downgrade Attack, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, AD Object WriteDAC Access, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Malspam Execution Registering Malicious DLL, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Mshta Execution, MOFComp Execution, MavInject Process Injection, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Taskkill Command, Dynwrapx Module Loading, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Empire Monkey Activity, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Privileged AD Builtin Group Modified, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Replication User Backdoor, Active Directory User Backdoors, User Added to Local Administrators, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Active Directory Delegate To KRBTGT Service"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, Python Opening Ports, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Alternate PowerShell Hosts Pipe, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Bloodhound and Sharphound Tools Usage, Invoke-TheHash Commandlets, In-memory PowerShell, Suspicious PowerShell Keywords, PowerShell Credential Prompt, Detection of default Mimikatz banner, Suspicious Taskkill Command, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, PowerShell - NTFS Alternate Data Stream, WMImplant Hack Tool, PowerShell Malicious PowerShell Commandlets, PowerShell Malicious Nishang PowerShell Commandlets, Malicious PowerShell Keywords, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Turla Named Pipes, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, WMI DLL Loaded Via Office, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD User Enumeration, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Remote Privileged Group Enumeration, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery, Domain Trust Created Or Removed"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Svchost Modification, Autorun Keys Modification, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, WMImplant Hack Tool, Invoke-TheHash Commandlets, Wmic Process Call Creation, WMI DLL Loaded Via Office, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dumping-Tools Common Named Pipes, Unsigned Image Loaded Into LSASS Process, Lsass Access Through WinRM, Windows Credential Editor Registry Key, Cred Dump Tools Dropped Files, Password Dumper Activity On LSASS, Process Memory Dump Using Rdrleakdiag, Credential Dumping By LaZagne, Mimikatz LSASS Memory Access, Credential Dumping Tools Service Execution, LSASS Access From Non System Account, Dumpert LSASS Process Dumper, Process Memory Dump Using Createdump, LSASS Memory Dump File Creation, LSASS Memory Dump"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Scripting In A WMI Consumer, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cred Dump Tools Dropped Files, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Cobalt Strike Default Service Creation Usage, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Spoolsv Wrong Parent, APT29 Fake Google Update Service Install, Malicious Service Installations, Searchprotocolhost Wrong Parent, StoneDrill Service Install, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Cobalt Strike Default Service Creation Usage, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Spoolsv Wrong Parent, APT29 Fake Google Update Service Install, Malicious Service Installations, Searchprotocolhost Wrong Parent, StoneDrill Service Install, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Gpscript Suspicious Parent, PsExec Process, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Suspicious PsExec Execution, Taskhostw Wrong Parent, Credential Dumping Tools Service Execution, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Smbexec.py Service Installation, Spoolsv Wrong Parent, Suspicious DNS Child Process, Malicious Service Installations, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Metasploit PSExec Service Creation, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Gpscript Suspicious Parent, PsExec Process, Windows Update LolBins, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Csrss Wrong Parent, Suspicious PsExec Execution, Taskhostw Wrong Parent, Credential Dumping Tools Service Execution, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Smbexec.py Service Installation, Microsoft Defender Antivirus Threat Detected, Spoolsv Wrong Parent, Suspicious DNS Child Process, Malicious Service Installations, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Metasploit PSExec Service Creation, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent, Exfiltration Via Pscp"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line, Suspicious Outbound Kerberos Connection, Rubeus Register New Logon Process"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Svchost DLL Search Order Hijack, Hijack Legit RDP Session To Move Laterally, Suspicious DLL side loading from ProgramData, Windows Registry Persistence COM Search Order Hijacking, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, PowerView commandlets 2, SCM Database Privileged Operation"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Malicious Named Pipe, Dynwrapx Module Loading, Wsmprovhost Wrong Parent, Process Hollowing Detection, Searchprotocolhost Wrong Parent, Process Herpaderping, Smss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, MavInject Process Injection, Cobalt Strike Named Pipes, Taskhost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Suspicious New Printer Ports In Registry, Antivirus Exploitation Framework Detection, Suspicious HWP Child Process, Exploit For CVE-2015-1641, Audit CVE Event, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Disable Workstation Lock, Wdigest Enable UseLogonCredential, Suspicious New Printer Ports In Registry, Remote Registry Management Using Reg Utility, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, Disable Security Events Logging Adding Reg Key MiniNt, Ursnif Registry Key, Chafer (APT 39) Activity, NetNTLM Downgrade Attack, FlowCloud Malware"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Rubeus Tool Command-line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, RedMimicry Winnti Playbook Dropped File, Suspicious SAM Dump, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted, ETW Tampering, Secure Deletion With SDelete, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, TUN/TAP Driver Installation, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Critical Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Sysmon Windows File Block Executable"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Critical Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Defender Antivirus Threat Detected, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Sysmon Windows File Block Executable"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Suspicious certutil command, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Rclone Process"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, LSASS Access From Non System Account, HackTools Suspicious Process Names In Command Line, Active Directory Database Dump Via Ntdsutil, Credential Dumping Tools Service Execution, Transfering Files With Credential Data Via Network Shares, NetNTLM Downgrade Attack, Malicious Service Installations, LSASS Memory Dump, DPAPI Domain Backup Key Extraction, DCSync Attack, Credential Dumping-Tools Common Named Pipes, NTDS.dit File In Suspicious Directory, RedMimicry Winnti Playbook Dropped File, Process Memory Dump Using Createdump, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Password Dumper Activity On LSASS, LSASS Memory Dump File Creation, Credential Dumping By LaZagne, Cred Dump Tools Dropped Files, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Comsvcs, Unsigned Image Loaded Into LSASS Process, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, WCE wceaux.dll Creation, Wdigest Enable UseLogonCredential, Lsass Access Through WinRM, Dumpert LSASS Process Dumper, Cmdkey Cached Credentials Recon, Mimikatz LSASS Memory Access, Suspicious SAM Dump, HackTools Suspicious Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: LSASS Memory Dump File Creation, Credential Dumping By LaZagne, Windows Credential Editor Registry Key, LSASS Access From Non System Account, LSASS Memory Dump, Credential Dumping-Tools Common Named Pipes, Lsass Access Through WinRM, Cred Dump Tools Dropped Files, Load Of dbghelp/dbgcore DLL From Suspicious Process, Dumpert LSASS Process Dumper, Process Memory Dump Using Createdump, Mimikatz LSASS Memory Access, Process Memory Dump Using Rdrleakdiag, Unsigned Image Loaded Into LSASS Process, Credential Dumping Tools Service Execution, Password Dumper Activity On LSASS"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Windows Defender Credential Guard, Netsh Port Opening, NetNTLM Downgrade Attack, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable SecurityHealth, Debugging Software Deactivation, Disabled IE Security Features, Ryuk Ransomware Command Line, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Configuration Changed, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Disable Task Manager Through Registry Key, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspect Svchost Memory Access, Windows Firewall Changes, Python Opening Ports, Netsh Allowed Python Program, Disable Windows Defender Credential Guard, Netsh Port Opening, Disable Security Events Logging Adding Reg Key MiniNt, NetNTLM Downgrade Attack, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious PROCEXP152.sys File Created In Tmp, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Ryuk Ransomware Command Line, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Configuration Changed, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, Suspicious Windows Script Execution, Malicious PowerShell Keywords, Detection of default Mimikatz banner, In-memory PowerShell, XSL Script Processing And SquiblyTwo Attack, Malspam Execution Registering Malicious DLL, PowerShell Malicious PowerShell Commandlets, WMIC Uninstall Product, Alternate PowerShell Hosts Pipe, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Scripting In A WMI Consumer, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, FromBase64String Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Suspicious PowerShell Invocations - Generic, WMImplant Hack Tool, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, Mshta Suspicious Child Process, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Mustang Panda Dropper, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Suspicious Outlook Child Process, Suspicious Taskkill Command, Trickbot Malware Activity, Turla Named Pipes, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Credential Prompt, Aspnet Compiler, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Dynwrapx Module Loading, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, WMI DLL Loaded Via Office, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Process Hollowing Detection, CreateRemoteThread Common Process Injection, Process Herpaderping, Searchprotocolhost Wrong Parent, Malicious Named Pipe, Cobalt Strike Named Pipes, Suspicious Process Requiring DLL Starts Without DLL, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Malicious Service Installations, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, APT29 Fake Google Update Service Install, Gpscript Suspicious Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Chafer (APT 39) Activity, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Malicious Service Installations, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, APT29 Fake Google Update Service Install, Gpscript Suspicious Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Chafer (APT 39) Activity, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Credential Dumping Tools Service Execution, Csrss Child Found, Rare Logonui Child Found, Malicious Service Installations, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Smbexec.py Service Installation, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Gpscript Suspicious Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Suspicious PsExec Execution, Wsmprovhost Wrong Parent, Metasploit PSExec Service Creation, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Credential Dumping Tools Service Execution, Csrss Child Found, Rare Logonui Child Found, Malicious Service Installations, Winlogon wrong parent, Taskhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Smbexec.py Service Installation, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Winrshost Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Gpscript Suspicious Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Suspicious PsExec Execution, Wsmprovhost Wrong Parent, Metasploit PSExec Service Creation, Logonui Wrong Parent"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Svchost Modification, Autorun Keys Modification, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, NjRat Registry Changes, Powershell Winlogon Helper DLL, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Ryuk Ransomware Persistence Registry Key, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Antivirus Web Shell Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, Detection of default Mimikatz banner, In-memory PowerShell, PowerShell Malicious PowerShell Commandlets, Alternate PowerShell Hosts Pipe, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Exploited CVE-2020-10189 Zoho ManageEngine, FromBase64String Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Generic, WMImplant Hack Tool, Mshta Suspicious Child Process, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Turla Named Pipes, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Credential Prompt, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Secure Deletion With SDelete, Eventlog Cleared, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, DHCP Callout DLL Installation, Disable Security Events Logging Adding Reg Key MiniNt, Wdigest Enable UseLogonCredential, Suspicious New Printer Ports In Registry, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Chafer (APT 39) Activity, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, Remote Registry Management Using Reg Utility, DNS ServerLevelPluginDll Installation, RDP Port Change Using Powershell, NetNTLM Downgrade Attack, OceanLotus Registry Activity, Disable Workstation Lock, FlowCloud Malware"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Svchost Modification, Autorun Keys Modification, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, RUN Registry Key Created From Suspicious Folder, Ryuk Ransomware Persistence Registry Key, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, User Added to Local Administrators, Denied Access To Remote Desktop, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, Cred Dump Tools Dropped Files, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205, Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Outlook Child Process, Cisco Umbrella Threat Detected, Suspicious Double Extension"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Suspicious HWP Child Process, Audit CVE Event, Msdt (Follina) File Browse Process Execution, Antivirus Password Dumper Detection, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Remote Registry Management Using Reg Utility, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Copy Of Legitimate System32 Executable, RTLO Character, Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Powershell AMSI Bypass, Netsh RDP Port Opening, Python Opening Ports, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, SysKey Registry Keys Access, Putty Sessions Listing"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Remote Task Creation Via ATSVC Named Pipe, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, SCM Database Privileged Operation, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AD User Enumeration"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, AdFind Usage, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, SSH Tunnel Traffic, Exfiltration And Tunneling Tools Execution, SSH X11 Forwarding"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage, Admin Share Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement, Smbexec.py Service Installation, RDP Login From Localhost, Remote Service Activity Via SVCCTL Named Pipe, Lsass Access Through WinRM, RDP Port Change Using Powershell, Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage, Denied Access To Remote Desktop, Admin Share Access"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries, Suspicious LDAP-Attributes Used, Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack, Suspicious Outbound Kerberos Connection, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Control Panel Items, Change Default File Association, Suspicious Scripting In A WMI Consumer, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Dynwrapx Module Loading"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Python HTTP Server"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, User Added to Local Administrators, Active Directory User Backdoors, Privileged AD Builtin Group Modified, Active Directory Replication User Backdoor, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Active Directory Delegate To KRBTGT Service"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
index 7240dd9ede..6e43f04003 100644
--- a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Kaspersky Endpoint Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Kaspersky Endpoint Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
index 424f64f250..162ca30c24 100644
--- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, LokiBot Default C2 URL, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
index 8c0cf1184e..5ebc52b536 100644
--- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Tampering Detected, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Sysprep On AppData Folder, QakBot Process Creation, Trickbot Malware Activity, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Mshta Execution, MOFComp Execution, MavInject Process Injection, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Empire Monkey Activity, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Windows Update LolBins, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Microsoft Defender Antivirus Threat Detected, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Audit CVE Event, Suspicious HWP Child Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, Exploit For CVE-2015-1641"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Mshta Suspicious Child Process, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Outlook Child Process, Suspicious Taskkill Command, Trickbot Malware Activity"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution, Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Winrshost Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, NjRat Registry Changes, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Audit CVE Event, Exploit For CVE-2015-1641"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Python HTTP Server"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
index 6ff96b59c8..6a204a0d34 100644
--- a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Sliver DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
index 1560e1cfb6..c285456618 100644
--- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Python HTTP Server, Potential Lemon Duck User-Agent, DNS Exfiltration and Tunneling Tools Execution, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Python HTTP Server, Nimbo-C2 User Agent"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
index 6ee768be43..1c10beca8a 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
index a850678936..067883a6b8 100644
--- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
index cf77eaa9fd..3a20dd8926 100644
--- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Tampering Detected, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Microsoft Defender Antivirus Threat Detected, Python Offensive Tools and Packages, Microsoft Office Creating Suspicious File, Aspnet Compiler, Microsoft Office Spawning Script, Sysprep On AppData Folder, QakBot Process Creation, Trickbot Malware Activity, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Hlai Engine Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, HarfangLab EDR High Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Cobalt Strike Default Beacons Names, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Spawning Script, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Exploit For CVE-2015-1641"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Mshta Execution, MOFComp Execution, MavInject Process Injection, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Empire Monkey Activity, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Windows Update LolBins, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Microsoft Defender Antivirus Threat Detected, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Critical Level Rule Detection, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, Sysmon Windows File Block Executable, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Critical Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Hlai Engine Detection, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Defender Antivirus Threat Detected, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Sysmon Windows File Block Executable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Potential Lemon Duck User-Agent, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, Python Offensive Tools and Packages, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Mshta Suspicious Child Process, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Outlook Child Process, Suspicious Taskkill Command, Trickbot Malware Activity, Aspnet Compiler"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution, Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Winrshost Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, NjRat Registry Changes, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
index 18956f3aa0..be9b9653b3 100644
--- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
index cbf1127f22..5507b5c627 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR CorePUA Detection, Download Files From Suspicious TLDs, Sophos EDR Application Blocked, Sophos EDR Application Detected, Sophos EDR CorePUA Clean"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR CorePUA Clean, Sophos EDR Application Blocked, Download Files From Suspicious TLDs, Sophos EDR CorePUA Detection, Sophos EDR Application Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
index 8bbb43e21c..8826a5ccdf 100644
--- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
index 0a3b7659e0..442f447ee1 100644
--- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Load Of dbghelp/dbgcore DLL From Suspicious Process, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Python Offensive Tools and Packages, Aspnet Compiler, Microsoft Office Spawning Script, Sysprep On AppData Folder, QakBot Process Creation, Trickbot Malware Activity, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Mshta Execution, MOFComp Execution, MavInject Process Injection, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Windows Update LolBins, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, Python Offensive Tools and Packages, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Mshta Suspicious Child Process, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Outlook Child Process, Suspicious Taskkill Command, Trickbot Malware Activity, Aspnet Compiler"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Windows Update LolBins, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, NjRat Registry Changes, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
index 768308d1c1..c17f55e160 100644
--- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Terminate"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, Phorpiex Process Masquerading"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Terminate, Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Blocked"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AutoIt3 Execution From Suspicious Folder, Interactive Terminal Spawned via Python, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
index 142939fa2d..6a74a0341d 100644
--- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
index d27afe79f2..62baedb8a0 100644
--- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
index 071dd41e36..8cf107c432 100644
--- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
index 586a2a937b..6111153e96 100644
--- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
index 006ab22a1f..b0f1b9d354 100644
--- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Malware But Allowed, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Spam But Allowed, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Malware But Allowed, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Spam But Allowed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
index 3a537365d4..07c4d7e639 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
index 81afe82089..47440b4037 100644
--- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing), Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
index 3dcd4aa971..a07c4982c0 100644
--- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
index dc7d62a8ac..b19e1d59f8 100644
--- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
index d828f7d8ff..7d71135676 100644
--- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Interactive Terminal Spawned via Python, Venom Multi-hop Proxy agent detection, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Socat Relaying Socket, Python Offensive Tools and Packages, Microsoft Office Creating Suspicious File, Aspnet Compiler, Sysprep On AppData Folder, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, SELinux Disabling, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CMSTP Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled Service"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, Interactive Terminal Spawned via Python, Socat Reverse Shell Detection, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Socat Relaying Socket, Elise Backdoor, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Suspicious Taskkill Command, Aspnet Compiler"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Empire Monkey Activity, xWizard Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CMSTP Execution, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
index 5b912076ba..8f9fde6a04 100644
--- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Netsh RDP Port Forwarding, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
index 0e8506f74a..6764928fdd 100644
--- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Secure Mobile Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Secure Mobile Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
index 926d0ef043..622e510c91 100644
--- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
index 3b2b9f933f..2fd6eee773 100644
--- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
index 72d313fbe7..ffbafed413 100644
--- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
index 3e0ac54fec..e00573b519 100644
--- a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Files [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Files [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
index fcabe42ad7..c89897c008 100644
--- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Python Offensive Tools and Packages, Aspnet Compiler, Sysprep On AppData Folder, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CMSTP Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Elise Backdoor, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Aspnet Compiler"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Empire Monkey Activity, xWizard Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CMSTP Execution, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
index b39eb5fb93..c0084694fe 100644
--- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
index 37891ab9a0..865cfbb96f 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
index b460a87319..2ebf04f825 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
index 6356d4b842..a55bdf19cd 100644
--- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub New Organization Member, GitHub Delete Action, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub New Organization Member, GitHub Delete Action, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
index e0a72ca51a..0ccda8b8e3 100644
--- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
index 55f14fdecc..37a7aeb87f 100644
--- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
index b87014297b..c13d82a01b 100644
--- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ManageEngine ADAudit Plus [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ManageEngine ADAudit Plus [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json
index c376023f2a..ec65c610c8 100644
--- a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Load Of dbghelp/dbgcore DLL From Suspicious Process, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Sysprep On AppData Folder, QakBot Process Creation, Trickbot Malware Activity, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Mshta Execution, MOFComp Execution, MavInject Process Injection, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, PsExec Process, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, PsExec Process, Windows Update LolBins, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Mshta Suspicious Child Process, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Outlook Child Process, Suspicious Taskkill Command, Trickbot Malware Activity"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Suspicious DNS Child Process, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, Suspicious DNS Child Process, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Windows Update LolBins, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, RTLO Character, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
index 2e22aa21cb..92a4a26601 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Microsoft Office Creating Suspicious File, Aspnet Compiler, Sysprep On AppData Folder, PowerShell Malicious Nishang PowerShell Commandlets, TEHTRIS EDR Alert, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, TEHTRIS EDR Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, TEHTRIS EDR Alert, Exfiltration Via Pscp"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CMSTP Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, TEHTRIS EDR Alert, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, TEHTRIS EDR Alert, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Elise Backdoor, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Aspnet Compiler"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, TEHTRIS EDR Alert, SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Empire Monkey Activity, xWizard Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CMSTP Execution, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
index c101f00d2c..8fe3dd71fd 100644
--- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
index 9bba220138..5381fdb24c 100644
--- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, AD Object WriteDAC Access, File Or Folder Permissions Modifications"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted, ETW Tampering, Secure Deletion With SDelete, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Active Directory Database Dump Via Ntdsutil, LSASS Access From Non System Account, Cred Dump Tools Dropped Files, LSASS Memory Dump, NTDS.dit File Interaction Through Command Line, Mimikatz Basic Commands, Credential Dumping-Tools Common Named Pipes, Unsigned Image Loaded Into LSASS Process, HackTools Suspicious Process Names In Command Line, Suspicious SAM Dump, Rubeus Tool Command-line, Credential Dumping By LaZagne, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution, Process Memory Dump Using Comsvcs, Impacket Secretsdump.py Tool, LSASS Memory Dump File Creation, Active Directory Replication from Non Machine Account, SAM Registry Hive Handle Request, Malicious Service Installations, DCSync Attack, Windows Credential Editor Registry Key, RedMimicry Winnti Playbook Dropped File, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Load Of dbghelp/dbgcore DLL From Suspicious Process, Wdigest Enable UseLogonCredential, NTDS.dit File In Suspicious Directory, Lsass Access Through WinRM, Transfering Files With Credential Data Via Network Shares, Password Dumper Activity On LSASS, Process Trace Alteration, Mimikatz LSASS Memory Access, Copying Sensitive Files With Credential Data, Dumpert LSASS Process Dumper, NetNTLM Downgrade Attack"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Svchost DLL Search Order Hijack, Hijack Legit RDP Session To Move Laterally, Suspicious DLL side loading from ProgramData, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Windows Registry Persistence COM Search Order Hijacking, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Debugging Software Deactivation, Disabled IE Security Features, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Exclusion Configuration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Ryuk Ransomware Command Line, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetNTLM Downgrade Attack"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Powershell AMSI Bypass, Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Disable Windows Defender Credential Guard, Raccine Uninstall, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Exclusion Configuration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Using Registry, Microsoft Malware Protection Engine Crash, Suspect Svchost Memory Access, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Python Opening Ports, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Ryuk Ransomware Command Line, TrustedInstaller Impersonation, Microsoft Defender Antivirus Tampering Detected, Windows Defender Deactivation Using PowerShell Script, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Disable Security Events Logging Adding Reg Key MiniNt, ETW Tampering, Windows Firewall Changes, NetNTLM Downgrade Attack, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, MavInject Process Injection, CreateRemoteThread Common Process Injection, Malicious Named Pipe, Dynwrapx Module Loading, Taskhostw Wrong Parent, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Cobalt Strike Named Pipes, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Process Hollowing Detection, Process Herpaderping, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Alternate PowerShell Hosts Pipe, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Bloodhound and Sharphound Tools Usage, Invoke-TheHash Commandlets, In-memory PowerShell, WMI DLL Loaded Via Office, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Linux Bash Reverse Shell, PowerShell Credential Prompt, Detection of default Mimikatz banner, Suspicious DLL Loaded Via Office Applications, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Venom Multi-hop Proxy agent detection, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Microsoft Defender Antivirus Threat Detected, PowerShell - NTFS Alternate Data Stream, Microsoft Office Creating Suspicious File, Aspnet Compiler, Suspicious Scripting In A WMI Consumer, Mustang Panda Dropper, Microsoft Office Spawning Script, Sysprep On AppData Folder, QakBot Process Creation, Malspam Execution Registering Malicious DLL, WMImplant Hack Tool, Trickbot Malware Activity, PowerShell Malicious Nishang PowerShell Commandlets, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Turla Named Pipes, Suspicious CodePage Switch with CHCP, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Privileged AD Builtin Group Modified, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Replication User Backdoor, Add User to Privileged Group, Active Directory User Backdoors, User Added to Local Administrators, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Active Directory Delegate To KRBTGT Service"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Registry Key Used By Some Old Agent Tesla Samples, Svchost Modification, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Autorun Keys Modification, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Spawning Script, Download Files From Non-Legitimate TLDs, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Level Rule Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Cobalt Strike Default Beacons Names, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Spawning Script, Download Files From Non-Legitimate TLDs, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Level Rule Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Nimbo-C2 User Agent, Suspicious LDAP-Attributes Used, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Chafer (APT 39) Activity, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Python HTTP Server, Koadic MSHTML Command, Suspicious Windows DNS Queries, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Suspicious New Printer Ports In Registry, Antivirus Exploitation Framework Detection, Download Files From Suspicious TLDs, Suspicious HWP Child Process, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Audit CVE Event, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Failed Logon Source From Public IP Addresses, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname, Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Execution From Suspicious Folder, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, New Or Renamed User Account With '$' In Attribute 'SamAccountName', RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, Putty Sessions Listing, SysKey Registry Keys Access"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, Lsass Access Through WinRM, Lateral Movement - Remote Named Pipe, Admin Share Access, Protected Storage Service Access, Cobalt Strike Default Service Creation Usage, MMC Spawning Windows Shell, RDP Port Change Using Powershell, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, MMC20 Lateral Movement"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, User Added to Local Administrators"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Malspam Execution Registering Malicious DLL, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Mshta Execution, MOFComp Execution, MavInject Process Injection, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Taskkill Command, Dynwrapx Module Loading, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Empire Monkey Activity, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, Python Opening Ports, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Alternate PowerShell Hosts Pipe, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Bloodhound and Sharphound Tools Usage, Invoke-TheHash Commandlets, In-memory PowerShell, Suspicious PowerShell Keywords, PowerShell Credential Prompt, Detection of default Mimikatz banner, Suspicious Taskkill Command, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, PowerShell - NTFS Alternate Data Stream, WMImplant Hack Tool, PowerShell Malicious PowerShell Commandlets, PowerShell Malicious Nishang PowerShell Commandlets, Malicious PowerShell Keywords, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Turla Named Pipes, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, WMI DLL Loaded Via Office, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD User Enumeration, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Remote Privileged Group Enumeration, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery, Domain Trust Created Or Removed"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Svchost Modification, Autorun Keys Modification, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, WMImplant Hack Tool, Invoke-TheHash Commandlets, Wmic Process Call Creation, WMI DLL Loaded Via Office, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dumping-Tools Common Named Pipes, Unsigned Image Loaded Into LSASS Process, Lsass Access Through WinRM, Windows Credential Editor Registry Key, Cred Dump Tools Dropped Files, Password Dumper Activity On LSASS, Process Memory Dump Using Rdrleakdiag, Credential Dumping By LaZagne, Mimikatz LSASS Memory Access, Credential Dumping Tools Service Execution, LSASS Access From Non System Account, Dumpert LSASS Process Dumper, Process Memory Dump Using Createdump, LSASS Memory Dump File Creation, LSASS Memory Dump"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Scripting In A WMI Consumer, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cred Dump Tools Dropped Files, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Cobalt Strike Default Service Creation Usage, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Spoolsv Wrong Parent, APT29 Fake Google Update Service Install, Malicious Service Installations, Searchprotocolhost Wrong Parent, StoneDrill Service Install, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Cobalt Strike Default Service Creation Usage, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Spoolsv Wrong Parent, APT29 Fake Google Update Service Install, Malicious Service Installations, Searchprotocolhost Wrong Parent, StoneDrill Service Install, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Gpscript Suspicious Parent, PsExec Process, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Suspicious PsExec Execution, Taskhostw Wrong Parent, Credential Dumping Tools Service Execution, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Smbexec.py Service Installation, Spoolsv Wrong Parent, Suspicious DNS Child Process, Malicious Service Installations, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Metasploit PSExec Service Creation, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Gpscript Suspicious Parent, PsExec Process, Windows Update LolBins, Winword wrong parent, WMI Persistence Command Line Event Consumer, Winlogon wrong parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Csrss Wrong Parent, Suspicious PsExec Execution, Taskhostw Wrong Parent, Credential Dumping Tools Service Execution, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Smbexec.py Service Installation, Microsoft Defender Antivirus Threat Detected, Spoolsv Wrong Parent, Suspicious DNS Child Process, Malicious Service Installations, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Metasploit PSExec Service Creation, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent, Exfiltration Via Pscp"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line, Suspicious Outbound Kerberos Connection, Rubeus Register New Logon Process"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, PowerView commandlets 2, SCM Database Privileged Operation"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Disable Workstation Lock, Wdigest Enable UseLogonCredential, Suspicious New Printer Ports In Registry, Remote Registry Management Using Reg Utility, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, Disable Security Events Logging Adding Reg Key MiniNt, Ursnif Registry Key, Chafer (APT 39) Activity, NetNTLM Downgrade Attack, FlowCloud Malware"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Rubeus Tool Command-line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, RedMimicry Winnti Playbook Dropped File, Suspicious SAM Dump, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Critical Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Download Files From Non-Legitimate TLDs, Sysmon Windows File Block Executable"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Critical Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Defender Antivirus Threat Detected, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Download Files From Non-Legitimate TLDs, Sysmon Windows File Block Executable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Suspicious LDAP-Attributes Used, Chafer (APT 39) Activity, Covenant Default HTTP Beaconing, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater, Potential Lemon Duck User-Agent, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Suspicious certutil command, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Rclone Process"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, LSASS Access From Non System Account, HackTools Suspicious Process Names In Command Line, Active Directory Database Dump Via Ntdsutil, Credential Dumping Tools Service Execution, Transfering Files With Credential Data Via Network Shares, NetNTLM Downgrade Attack, Malicious Service Installations, LSASS Memory Dump, DPAPI Domain Backup Key Extraction, DCSync Attack, Credential Dumping-Tools Common Named Pipes, NTDS.dit File In Suspicious Directory, RedMimicry Winnti Playbook Dropped File, Process Memory Dump Using Createdump, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Password Dumper Activity On LSASS, LSASS Memory Dump File Creation, Credential Dumping By LaZagne, Cred Dump Tools Dropped Files, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Comsvcs, Unsigned Image Loaded Into LSASS Process, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, WCE wceaux.dll Creation, Wdigest Enable UseLogonCredential, Lsass Access Through WinRM, Dumpert LSASS Process Dumper, Cmdkey Cached Credentials Recon, Mimikatz LSASS Memory Access, Suspicious SAM Dump, HackTools Suspicious Names"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: LSASS Memory Dump File Creation, Credential Dumping By LaZagne, Windows Credential Editor Registry Key, LSASS Access From Non System Account, LSASS Memory Dump, Credential Dumping-Tools Common Named Pipes, Lsass Access Through WinRM, Cred Dump Tools Dropped Files, Load Of dbghelp/dbgcore DLL From Suspicious Process, Dumpert LSASS Process Dumper, Process Memory Dump Using Createdump, Mimikatz LSASS Memory Access, Process Memory Dump Using Rdrleakdiag, Unsigned Image Loaded Into LSASS Process, Credential Dumping Tools Service Execution, Password Dumper Activity On LSASS"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, AD Object WriteDAC Access, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Windows Defender Credential Guard, Fail2ban Unban IP, Netsh Port Opening, NetNTLM Downgrade Attack, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable SecurityHealth, Debugging Software Deactivation, Disabled IE Security Features, Ryuk Ransomware Command Line, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Configuration Changed, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspect Svchost Memory Access, Windows Firewall Changes, Python Opening Ports, Netsh Allowed Python Program, Disable Windows Defender Credential Guard, Fail2ban Unban IP, Netsh Port Opening, Disable Security Events Logging Adding Reg Key MiniNt, NetNTLM Downgrade Attack, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious PROCEXP152.sys File Created In Tmp, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Ryuk Ransomware Command Line, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Configuration Changed, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, Suspicious Windows Script Execution, Malicious PowerShell Keywords, Detection of default Mimikatz banner, In-memory PowerShell, XSL Script Processing And SquiblyTwo Attack, Malspam Execution Registering Malicious DLL, PowerShell Malicious PowerShell Commandlets, WMIC Uninstall Product, Alternate PowerShell Hosts Pipe, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Scripting In A WMI Consumer, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, PowerShell - NTFS Alternate Data Stream, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, FromBase64String Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Suspicious PowerShell Invocations - Generic, WMImplant Hack Tool, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, Linux Bash Reverse Shell, Mshta Suspicious Child Process, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Mustang Panda Dropper, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Suspicious Outlook Child Process, Suspicious Taskkill Command, Trickbot Malware Activity, Turla Named Pipes, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Credential Prompt, Aspnet Compiler, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Dynwrapx Module Loading, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, WMI DLL Loaded Via Office, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, CreateRemoteThread Common Process Injection, Cobalt Strike Named Pipes, Taskhost Wrong Parent, Process Hollowing Detection, MavInject Process Injection, Taskhostw Wrong Parent, Malicious Named Pipe, Searchprotocolhost Wrong Parent, Dynwrapx Module Loading, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Process Herpaderping, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Malicious Service Installations, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, APT29 Fake Google Update Service Install, Gpscript Suspicious Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Chafer (APT 39) Activity, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Malicious Service Installations, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, APT29 Fake Google Update Service Install, Gpscript Suspicious Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Chafer (APT 39) Activity, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Credential Dumping Tools Service Execution, Csrss Child Found, Rare Logonui Child Found, Malicious Service Installations, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Smbexec.py Service Installation, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Gpscript Suspicious Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Suspicious PsExec Execution, Wsmprovhost Wrong Parent, Metasploit PSExec Service Creation, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, WMI Persistence Command Line Event Consumer, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Credential Dumping Tools Service Execution, Csrss Child Found, Rare Logonui Child Found, Malicious Service Installations, Winlogon wrong parent, Taskhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Smbexec.py Service Installation, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Winrshost Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Gpscript Suspicious Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Suspicious PsExec Execution, Wsmprovhost Wrong Parent, Metasploit PSExec Service Creation, Logonui Wrong Parent"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Svchost Modification, Autorun Keys Modification, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, NjRat Registry Changes, Powershell Winlogon Helper DLL, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Ryuk Ransomware Persistence Registry Key, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Antivirus Web Shell Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, Detection of default Mimikatz banner, In-memory PowerShell, PowerShell Malicious PowerShell Commandlets, Alternate PowerShell Hosts Pipe, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Exploited CVE-2020-10189 Zoho ManageEngine, FromBase64String Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Generic, WMImplant Hack Tool, Mshta Suspicious Child Process, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Turla Named Pipes, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Credential Prompt, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Secure Deletion With SDelete, Eventlog Cleared, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, DHCP Callout DLL Installation, Disable Security Events Logging Adding Reg Key MiniNt, Wdigest Enable UseLogonCredential, Suspicious New Printer Ports In Registry, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Chafer (APT 39) Activity, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, Remote Registry Management Using Reg Utility, DNS ServerLevelPluginDll Installation, RDP Port Change Using Powershell, NetNTLM Downgrade Attack, OceanLotus Registry Activity, Disable Workstation Lock, FlowCloud Malware"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Svchost Modification, Autorun Keys Modification, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, RUN Registry Key Created From Suspicious Folder, Ryuk Ransomware Persistence Registry Key, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, User Added to Local Administrators, Denied Access To Remote Desktop, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, Cred Dump Tools Dropped Files, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, WMIC Uninstall Product"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Suspicious HWP Child Process, Audit CVE Event, Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs, Antivirus Password Dumper Detection, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Remote Registry Management Using Reg Utility, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Copy Of Legitimate System32 Executable, RTLO Character, Execution From Suspicious Folder, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Powershell AMSI Bypass, Netsh RDP Port Opening, Python Opening Ports, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, SysKey Registry Keys Access, Putty Sessions Listing"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Remote Task Creation Via ATSVC Named Pipe, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, SCM Database Privileged Operation, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AD User Enumeration"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, AdFind Usage, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage, Admin Share Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement, Smbexec.py Service Installation, RDP Login From Localhost, Remote Service Activity Via SVCCTL Named Pipe, Lsass Access Through WinRM, RDP Port Change Using Powershell, Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage, Denied Access To Remote Desktop, Admin Share Access"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack, Suspicious Outbound Kerberos Connection, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Control Panel Items, Change Default File Association, Suspicious Scripting In A WMI Consumer, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Dynwrapx Module Loading"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Covenant Default HTTP Beaconing, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Add User to Privileged Group, User Added to Local Administrators, Active Directory User Backdoors, Privileged AD Builtin Group Modified, Active Directory Replication User Backdoor, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Active Directory Delegate To KRBTGT Service"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Suspicious TOR Gateway, Netsh Port Forwarding"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
index b8681abfc0..ac9dc58c83 100644
--- a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Aspnet Compiler, Sysprep On AppData Folder, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CMSTP Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Elise Backdoor, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Aspnet Compiler"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Empire Monkey Activity, xWizard Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CMSTP Execution, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
index b2ae52e2a1..6f70f6acb9 100644
--- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
index c153003b31..373ffac02b 100644
--- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Explorer Wrong Parent"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Sysprep On AppData Folder, QakBot Process Creation, Trickbot Malware Activity, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Mshta Execution, MOFComp Execution, MavInject Process Injection, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Winword wrong parent, New Service Creation, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Explorer Wrong Parent, Csrss Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Winword wrong parent, New Service Creation, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Explorer Wrong Parent, Csrss Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Usage Of Sysinternals Tools, PsExec Process, Winword wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, Csrss Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Rare Lsass Child Found, Usage Of Sysinternals Tools, PsExec Process, Windows Update LolBins, Winword wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, Csrss Child Found"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Driver Loaded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Mshta Suspicious Child Process, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Outlook Child Process, Suspicious Taskkill Command, Trickbot Malware Activity"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, New Service Creation, Searchprotocolhost Child Found, Csrss Child Found, Rare Lsass Child Found, SolarWinds Wrong Child Process, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, New Service Creation, Searchprotocolhost Child Found, Csrss Child Found, Rare Lsass Child Found, SolarWinds Wrong Child Process, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, Csrss Child Found, PsExec Process, Rare Lsass Child Found, SolarWinds Wrong Child Process, Winword wrong parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Windows Update LolBins, Searchprotocolhost Child Found, Csrss Child Found, SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp, Rare Lsass Child Found, SolarWinds Wrong Child Process, Winword wrong parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, Kernel Module Alteration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
index 6dfec77787..3750dbc22d 100644
--- a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR) [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Python Offensive Tools and Packages, Microsoft Office Creating Suspicious File, Aspnet Compiler, Sysprep On AppData Folder, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CMSTP Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR) [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Rclone Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Elise Backdoor, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Aspnet Compiler"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Empire Monkey Activity, xWizard Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CMSTP Execution, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, NjRat Registry Changes, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp, Usage Of Sysinternals Tools"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
index d3fca02276..4695f22c57 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Claroty xDome [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Claroty xDome [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
index 9456009ff7..56ff88202a 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cybereason EDR Alert, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Cybereason EDR Alert, Microsoft Office Creating Suspicious File, Aspnet Compiler"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Cybereason EDR Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cybereason EDR Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Cybereason EDR Alert, Aspnet Compiler"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Cybereason EDR Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
index df692b21ca..4efcb39ff4 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope Transaction Events [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope Transaction Events [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
index 57538f1149..2e4ced1cab 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
index 11554516cf..647a981b18 100644
--- a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Python HTTP Server, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Python HTTP Server, Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Default Encoding To UTF-8 PowerShell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Python HTTP Server, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
index 1da576113b..d8d96d8ac0 100644
--- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
index 13afc513d8..ed83fe16d6 100644
--- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
index 49f18984a5..ba6103931a 100644
--- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Python Offensive Tools and Packages, Microsoft Office Creating Suspicious File, Aspnet Compiler, Sysprep On AppData Folder, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CMSTP Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Elise Backdoor, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Aspnet Compiler"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Empire Monkey Activity, xWizard Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CMSTP Execution, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
index 7315897749..2a019f8353 100644
--- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
index 5086689685..d40b15ff56 100644
--- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix Network Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Trellix Network Security Threat Notified, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Trellix Network Security Threat Blocked, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix Network Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Trellix Network Security Threat Notified, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Trellix Network Security Threat Blocked, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
index e80b00d881..bbe29f568a 100644
--- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
index af7936bdbc..4766f2a394 100644
--- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
index d5a23da5d8..367bd1d5ea 100644
--- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
index 2e1f314b82..80cae50820 100644
--- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Bloodhound and Sharphound Tools Usage, Invoke-TheHash Commandlets, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Keywords, Linux Bash Reverse Shell, PowerShell Credential Prompt, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Interactive Terminal Spawned via Python, Venom Multi-hop Proxy agent detection, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Microsoft Defender Antivirus Threat Detected, PowerShell - NTFS Alternate Data Stream, Socat Relaying Socket, Python Offensive Tools and Packages, Microsoft Office Creating Suspicious File, Aspnet Compiler, Microsoft Office Spawning Script, Sysprep On AppData Folder, QakBot Process Creation, WMImplant Hack Tool, Trickbot Malware Activity, PowerShell Malicious Nishang PowerShell Commandlets, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, HackTools Suspicious Names, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Powershell AMSI Bypass, Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, ETW Tampering, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, TrustedInstaller Impersonation, Microsoft Defender Antivirus Tampering Detected, Windows Defender Deactivation Using PowerShell Script, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, SELinux Disabling, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Cron Files Alteration, Chafer (APT 39) Activity"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, Autorun Keys Modification, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Chafer (APT 39) Activity"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Mshta Execution, MOFComp Execution, MavInject Process Injection, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Empire Monkey Activity, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Bloodhound and Sharphound Tools Usage, Invoke-TheHash Commandlets, Suspicious PowerShell Keywords, PowerShell Credential Prompt, Suspicious Taskkill Command, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, PowerShell - NTFS Alternate Data Stream, WMImplant Hack Tool, PowerShell Malicious PowerShell Commandlets, PowerShell Malicious Nishang PowerShell Commandlets, Malicious PowerShell Keywords, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 2"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, WMImplant Hack Tool, Invoke-TheHash Commandlets, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Register New Logon Process, Rubeus Tool Command-line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Windows Update LolBins, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Microsoft Defender Antivirus Threat Detected, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Wininit Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent, Exfiltration Via Pscp"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Login From Localhost, MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Suspicious HWP Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, Chafer (APT 39) Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, Exploit For CVE-2015-1641"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries, Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable SecurityHealth, Debugging Software Deactivation, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location, Disabled Service, TrustedInstaller Impersonation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, SELinux Disabling, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location, Disabled Service, TrustedInstaller Impersonation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, Suspicious Windows Script Execution, Malicious PowerShell Keywords, Interactive Terminal Spawned via Python, Socat Reverse Shell Detection, XSL Script Processing And SquiblyTwo Attack, PowerShell Malicious PowerShell Commandlets, WMIC Uninstall Product, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, Python Offensive Tools and Packages, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, PowerShell - NTFS Alternate Data Stream, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, FromBase64String Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Suspicious PowerShell Invocations - Generic, WMImplant Hack Tool, Suspicious CodePage Switch with CHCP, Socat Relaying Socket, Linux Bash Reverse Shell, Mshta Suspicious Child Process, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Suspicious Outlook Child Process, Suspicious Taskkill Command, Trickbot Malware Activity, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Credential Prompt, Aspnet Compiler, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution, Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, WMImplant Hack Tool, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Chafer (APT 39) Activity, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Chafer (APT 39) Activity, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Winrshost Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, NjRat Registry Changes, Powershell Winlogon Helper DLL, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Exploited CVE-2020-10189 Zoho ManageEngine, FromBase64String Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Generic, WMImplant Hack Tool, Mshta Suspicious Child Process, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Credential Prompt, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Suspicious HWP Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Copy Of Legitimate System32 Executable, RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Powershell AMSI Bypass, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, AdFind Usage, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Chafer (APT 39) Activity, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Python HTTP Server"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Login From Localhost, MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Add User to Privileged Group"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
index f5c8652a26..e85ec4fc7b 100644
--- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
index 8f2d1c576c..c618e96e1c 100644
--- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Mass Download By A Single User, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Malware Filter Policy Removed, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Risky IP"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Possible Malicious File Double Extension, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS Repeated Delete, Suspicious Double Extension, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Malware Filter Policy Removed, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Risky IP"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Microsoft 365 Device Code Authentication, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Know Credential Testing Tool"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Failed Logon Source From Public IP Addresses, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Filter Rule Deletion, Possible Malicious File Double Extension, Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Malware Filter Policy Removed, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS New Country, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Mass Download By A Single User"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) AtpDetection, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Malware Filter Policy Removed, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS New Country, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Mass Download By A Single User"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Failed Logon Source From Public IP Addresses, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
index 852cf37219..50161262ab 100644
--- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
index 197d437631..da3dd79d6c 100644
--- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway Network [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway Network [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
index 756f77cd82..0d1d0199e8 100644
--- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
index 205e7d50ca..e6ce212b28 100644
--- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Root ConsoleLogin"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Root ConsoleLogin"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Important Change, AWS CloudTrail Disable MFA, AWS CloudTrail Remove Flow logs, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Disruption"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Important Change, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail Remove Flow logs, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Disruption"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Root ConsoleLogin"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Remove Flow logs, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Disable MFA, AWS CloudTrail Important Change, AWS CloudTrail EC2 Security Group Modified"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Disruption, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Remove Flow logs, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Disable MFA, AWS CloudTrail Important Change"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
index 6a775985ff..9c4285e2bf 100644
--- a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Secure Web Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
index 3e566fd2b9..aef3e59ebf 100644
--- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
index f4e064378c..431be60aa7 100644
--- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json
index 3dc014d70c..f2503c6c85 100644
--- a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Disable Workstation Lock, FlowCloud Malware"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
index bb076b2f0b..369f07f797 100644
--- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
index e93a0ceeb7..78a83102b3 100644
--- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
index 4215ccf263..ff488936dc 100644
--- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
index f4df1f6dc9..f2c8c20e7a 100644
--- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Scam Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365 And Not Blocked, SEKOIA.IO Intelligence Feed, Spearphishing (CEO Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Spam Detected By Vade For M365, Scam Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Malware Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spearphishing (Initial Contact Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Scam Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365, Spam Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
index 1ca228d824..d65ba45978 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Application deleted, Okta Application modified, Okta User Account Deactivated, Okta Admin Privilege Granted, Okta User Impersonation Access"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta MFA Disabled, Okta Security Threat Configuration Updated, Okta Network Zone Deleted, Okta Network Zone Deactivated, Okta Network Zone Modified, Okta Blacklist Manipulations"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta Network Zone Modified"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Account Deactivated, Okta Application modified, Okta Application deleted, Okta User Impersonation Access, Okta Admin Privilege Granted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Deactivated, Okta Network Zone Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Security Threat Configuration Updated, Okta Blacklist Manipulations, Okta MFA Disabled, Okta Network Zone Modified, Okta Network Zone Deactivated"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
index 39c505c5f2..cf1d052498 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Interactive Terminal Spawned via Python, Venom Multi-hop Proxy agent detection, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Socat Relaying Socket, Python Offensive Tools and Packages, Microsoft Office Creating Suspicious File, Sysprep On AppData Folder, PowerShell Malicious Nishang PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Disabled Service, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, SELinux Disabling, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, MavInject Process Injection, Suspicious Control Process, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CMSTP Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled Service"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, Interactive Terminal Spawned via Python, Socat Reverse Shell Detection, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Creating Suspicious File, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Socat Relaying Socket, Elise Backdoor, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Suspicious Taskkill Command"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Empire Monkey Activity, xWizard Execution, Control Panel Items, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, CMSTP Execution, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding, Socat Relaying Socket, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
index ae0b4bd91f..d794f042a0 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Aspnet Compiler"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Aspnet Compiler"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
index 55a64579ee..244e37feff 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
index 0f3f9f117f..ace4efa6ee 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
index 76ac8dadd8..f4b5fba3e9 100644
--- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
index f7429c86f5..8448be1619 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File Or Folder Permissions Modifications"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Debugging Software Deactivation, Disabled IE Security Features, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Package Manager Alteration, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, AMSI Deactivation Using Registry Key, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, ETW Tampering, Windows Firewall Changes, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, Generic-reverse-shell-oneliner, Bloodhound and Sharphound Tools Usage, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Suspicious Taskkill Command, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Aspnet Compiler, Microsoft Office Spawning Script, Sysprep On AppData Folder, QakBot Process Creation, Trickbot Malware Activity, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Stormshield Ses Critical Not Block, Stormshield Ses Critical Block, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Stormshield Ses Emergency Block, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Mshta Execution, MOFComp Execution, MavInject Process Injection, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Taskkill Command, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll, Suspicious Regasm Regsvcs Usage, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Empire Monkey Activity, Equation Group DLL_U Load, Control Panel Items, CMSTP Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, Blue Mockingbird Malware, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Explorer Wrong Parent, Csrss Child Found, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Windows Update LolBins, Winword wrong parent, Winlogon wrong parent, Rare Logonui Child Found, Dllhost Wrong Parent, Csrss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Spoolsv Wrong Parent, Suspicious DNS Child Process, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, Csrss Child Found, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent, Exfiltration Via Pscp"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Control Panel Items, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Rclone Process, Powershell UploadString Function"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, Stormshield Ses Emergency Block, Stormshield Ses Critical Block, SquirrelWaffle Malspam Execution Loading DLL, Stormshield Ses Critical Not Block, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Windows Firewall Changes, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh Port Opening, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allow Command, Debugging Software Deactivation, ETW Tampering, Disabled IE Security Features, Package Manager Alteration, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Clear EventLogs Through CommandLine, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Dism Disabling Windows Defender, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Sysprep On AppData Folder, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Mshta Suspicious Child Process, Elise Backdoor, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Outlook Child Process, Suspicious Taskkill Command, Trickbot Malware Activity, Aspnet Compiler"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Mshta Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, New Service Creation, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Rare Logonui Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Exfiltration Via Pscp, Userinit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Taskhostw Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Windows Update LolBins, Searchindexer Wrong Parent, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Wsmprovhost Wrong Parent, Logonui Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line, WMIC Uninstall Product"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Disable Workstation Lock, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, List Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
index 72e94ffbc2..52ff8fc30a 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudFront [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudFront [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
index 2665ac9eee..3208be8ecc 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
@@ -1,167 +1,173 @@
-Changelog _last update on 2024-02-29_
+Changelog _last update on 2024-03-06_
 
 ## Changelog
 
+### Listing Systemd Environment
+  - 06/03/2024 - minor - Effort level was adapted according to the observed hits for the rule
+    
+### Entra ID Password Compromised By Known Credential Testing Tool
+  - 05/03/2024 - minor - Rule name error was fixed
+    
 ### Exfiltration Domain
   - 29/02/2024 - minor - enforce detection by adding tag
     
-### Non-Legitimate Executable Using AcceptEula Parameter
-  - 19/02/2024 - minor - Update filter and effort level according to the observed hits for the rule.
-    
 ### Outlook Registry Access
   - 19/02/2024 - minor - Effort level was adapted according to the observed hits for the rule
     
-### Cybereason EDR Alert
+### Non-Legitimate Executable Using AcceptEula Parameter
+  - 19/02/2024 - minor - Update filter and effort level according to the observed hits for the rule.
+    
+### SentinelOne EDR Custom Rule Alert
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Intrusion Detection
+### CrowdStrike Falcon Identity Protection Detection Informational Severity
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### WithSecure Elements Critical Severity
+### Trend Micro Apex One Data Loss Prevention Alert
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Intrusion Detection Low Severity
+### Login Failed Brute-Force On SentinelOne EDR Management Console
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### HarfangLab EDR Hlai Engine Detection
+### SentinelOne EDR Threat Mitigation Report Kill Success
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively
+### SentinelOne EDR Malicious Threat Not Mitigated
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)
+### CrowdStrike Falcon Identity Protection Detection Low Severity
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Identity Protection Detection Medium Severity
+### CrowdStrike Falcon Intrusion Detection High Severity
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### HarfangLab EDR Process Execution Blocked (HL-AI engine)
+### SentinelOne EDR Threat Detected (Malicious)
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
 ### CrowdStrike Falcon Identity Protection Detection High Severity
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Threat Detected (Suspicious)
+### SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Intrusion Detection Critical Severity
+### CrowdStrike Falcon Intrusion Detection
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Trend Micro Apex One Malware Alert
+### CrowdStrike Falcon Intrusion Detection Medium Severity
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Threat Mitigation Report Quarantine Success
+### SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Threat Mitigation Report Kill Success
+### SentinelOne EDR Threat Mitigation Report Quarantine Failed
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Login Failed Brute-Force On SentinelOne EDR Management Console
+### Cybereason EDR Alert
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Trend Micro Apex One Intrusion Detection Alert
+### WithSecure Elements Critical Severity
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Intrusion Detection Medium Severity
+### CrowdStrike Falcon Intrusion Detection Low Severity
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
 ### Login Brute-Force Successful On SentinelOne EDR Management Console
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Identity Protection Detection Informational Severity
+### SentinelOne EDR Threat Detected (Suspicious)
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Threat Mitigation Report Remediate Success
+### CrowdStrike Falcon Identity Protection Detection Critical Severity
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Cybereason EDR Malware Detection
+### HarfangLab EDR Process Execution Blocked (HL-AI engine)
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Trend Micro Apex One Data Loss Prevention Alert
+### CrowdStrike Falcon Identity Protection Detection Medium Severity
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Identity Protection Detection Low Severity
+### CrowdStrike Falcon Intrusion Detection Critical Severity
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Identity Protection Detection Critical Severity
+### HarfangLab EDR Hlai Engine Detection
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Intrusion Detection Informational Severity
+### SentinelOne EDR SSO User Added
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CrowdStrike Falcon Intrusion Detection High Severity
+### SentinelOne EDR Threat Mitigation Report Remediate Success
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Custom Rule Alert
+### Trend Micro Apex One Intrusion Detection Alert
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Threat Detected (Malicious)
+### CrowdStrike Falcon Intrusion Detection Informational Severity
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR SSO User Added
+### SentinelOne EDR Threat Mitigation Report Quarantine Success
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Threat Mitigation Report Quarantine Failed
+### Trend Micro Apex One Malware Alert
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### SentinelOne EDR Malicious Threat Not Mitigated
+### Cybereason EDR Malware Detection
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically
+### AWS GuardDuty Medium Severity Alert
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Okta MFA Disabled
+### AWS CloudTrail GuardDuty Detector Suspended
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### AWS GuardDuty Medium Severity Alert
+### Sekoia.io EICAR Detection
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### AWS GuardDuty High Severity Alert
+### Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Microsoft Defender for Office 365 High Severity AIR Alert
+### Okta MFA Disabled
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Sekoia.io EICAR Detection
+### Microsoft Defender for Office 365 Medium Severity AIR Alert
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### AWS CloudTrail GuardDuty Detector Suspended
+### Okta Phishing Detection with FastPass Origin Check
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Microsoft Defender for Office 365 Medium Severity AIR Alert
+### Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action
+### Microsoft Defender for Office 365 High Severity AIR Alert
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Okta Phishing Detection with FastPass Origin Check
+### AWS GuardDuty High Severity Alert
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
 ### AWS CloudTrail GuardDuty Detector Deleted
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### CVE-2021-21985 VMware vCenter
+### Antivirus Relevant File Paths Alerts
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### Antivirus Relevant File Paths Alerts
+### MS Office Product Spawning Exe in User Dir
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
 ### Microsoft Defender Antivirus Threat Detected
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### User Added to Local Administrators
+### NlTest Usage
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### MS Office Product Spawning Exe in User Dir
+### Microsoft Defender Antivirus Disabled Base64 Encoded
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
 ### Netsh Port Forwarding
   - 15/02/2024 - minor - Added filter to reduce false positives
     
-### Microsoft Defender Antivirus Disabled Base64 Encoded
+### User Added to Local Administrators
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
-### NlTest Usage
+### CVE-2021-21985 VMware vCenter
   - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
     
 ### WMIC Uninstall Product
@@ -170,12 +176,12 @@ Changelog _last update on 2024-02-29_
 ### High Privileges Network Share Removal
   - 02/02/2024 - major - changing current pattern and adding another one
     
-### Inhibit System Recovery Deleting Backups
-  - 31/01/2024 - minor - Improve selection filter
-    
 ### Svchost Wrong Parent
   - 31/01/2024 - minor - Adding filters to reduce false positives
     
+### Inhibit System Recovery Deleting Backups
+  - 31/01/2024 - minor - Improve selection filter
+    
 ### Microsoft Office Product Spawning Windows Shell
   - 23/01/2024 - minor - Adding elements to increase detection and filters to reduce false positives.
     
@@ -197,12 +203,12 @@ Changelog _last update on 2024-02-29_
 ### Legitimate Process Execution From Unusual Folder
   - 04/01/2024 - major - Rework filter selection with contains instead of re modifier
     
-### Grabbing Sensitive Hives Via Reg Utility
-  - 02/01/2024 - minor - Rule was improved to have broader detection and filters were added.
-    
 ### Suspicious Driver Loaded
   - 02/01/2024 - minor - improve selection to avoid FP
     
+### Grabbing Sensitive Hives Via Reg Utility
+  - 02/01/2024 - minor - Rule was improved to have broader detection and filters were added.
+    
 ### SolarWinds Wrong Child Process
   - 22/12/2023 - minor - Adding a child process name to the filter list to avoid some FPs
     
@@ -221,18 +227,18 @@ Changelog _last update on 2024-02-29_
 ### HTA Infection Chains
   - 30/11/2023 - minor - Update pattern with new lolbin
     
+### PowerShell Download From URL
+  - 29/11/2023 - minor - Added a filter to the rule as some false positives were observed.
+    
+### Netsh Program Allowed With Suspicious Location
+  - 29/11/2023 - minor - Update regex pattern to insensitive case
+    
 ### WMImplant Hack Tool
   - 29/11/2023 - minor - Added a selection to filter some false positives.
     
 ### NjRat Registry Changes
   - 29/11/2023 - minor - Update regex pattern to insensitive case
     
-### Netsh Program Allowed With Suspicious Location
-  - 29/11/2023 - minor - Update regex pattern to insensitive case
-    
-### PowerShell Download From URL
-  - 29/11/2023 - minor - Added a filter to the rule as some false positives were observed.
-    
 ### RDP Login From Localhost
   - 24/11/2023 - minor - Effort level changed to advanced.
     
@@ -242,44 +248,44 @@ Changelog _last update on 2024-02-29_
 ### TOR Usage Generic Rule
   - 22/11/2023 - minor - Adding filter to improve rule.
     
-### WiFi Credentials Harvesting Using Netsh
-  - 21/11/2023 - minor - Rule's effort level has been changed to advanced as it was highly dependent on the environment.
-    
 ### AD Object WriteDAC Access
   - 21/11/2023 - minor - Rule's effort level has been changed to advanced as legitimate administrator actions can trigger the rule.
     
+### WiFi Credentials Harvesting Using Netsh
+  - 21/11/2023 - minor - Rule's effort level has been changed to advanced as it was highly dependent on the environment.
+    
 ### Suspicious Double Extension
   - 21/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
     
 ### PowerShell Credential Prompt
   - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
     
-### WAF Block Rule
-  - 15/11/2023 - minor - Adding support for Ubika
-    
 ### AWS CloudTrail Remove Flow logs
   - 15/11/2023 - minor - Changing effort level.
     
-### Cobalt Strike Default Beacons Names
-  - 08/11/2023 - minor - Added filter to reduce false positives
+### WAF Block Rule
+  - 15/11/2023 - minor - Adding support for Ubika
     
 ### NTDS.dit File Interaction Through Command Line
   - 08/11/2023 - minor - Added filter to reduce false positives
     
+### Cobalt Strike Default Beacons Names
+  - 08/11/2023 - minor - Added filter to reduce false positives
+    
 ### ETW Tampering
   - 08/11/2023 - minor - Added filter to reduce false positives
     
+### CMSTP Execution
+  - 19/10/2023 - minor - Slight change in selection to reduce false positives. Adding similarity.
+    
 ### Denied Access To Remote Desktop
   - 19/10/2023 - minor - Minor change in selection to reduce false positives.
     
-### Suspicious Windows Script Execution
-  - 19/10/2023 - major - Review of the rule to reduce false positives.
-    
 ### Domain Trust Discovery Through LDAP
   - 19/10/2023 - minor - improve filter to reduce false positives
     
-### CMSTP Execution
-  - 19/10/2023 - minor - Slight change in selection to reduce false positives. Adding similarity.
+### Suspicious Windows Script Execution
+  - 19/10/2023 - major - Review of the rule to reduce false positives.
     
 ### Transfering Files With Credential Data Via Network Shares
   - 17/10/2023 - minor - Improve selection to reduce false positives
@@ -287,13 +293,13 @@ Changelog _last update on 2024-02-29_
 ### AdFind Usage
   - 12/10/2023 - minor - Slight change to a condition in order to reduce false positives.
     
-### Microsoft 365 (Office 365) Mass Download By A Single User
+### Microsoft 365 (Office 365) Potential Ransomware Activity Detected
   - 09/10/2023 - major - Fix field names to match the current parser.
     
 ### Microsoft 365 (Office 365) Unusual Volume Of File Deletion
   - 09/10/2023 - major - Fix field names to match the current parser.
     
-### Microsoft 365 (Office 365) Potential Ransomware Activity Detected
+### Microsoft 365 (Office 365) Mass Download By A Single User
   - 09/10/2023 - major - Fix field names to match the current parser.
     
 ### Login Brute-Force Successful
@@ -305,70 +311,70 @@ Changelog _last update on 2024-02-29_
 ### Suspicious Regasm Regsvcs Usage
   - 27/09/2023 - major - Rule creation
     
+### UAC Bypass via Event Viewer
+  - 21/09/2023 - minor - Improve filter to reduce false positives
+    
 ### Suspicious Rundll32.exe Execution
   - 21/09/2023 - minor - Extend to some usage without dll filename
     
-### UAC Bypass via Event Viewer
-  - 21/09/2023 - minor - Improve filter to reduce false positives
+### Spoolsv Wrong Parent
+  - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Searchindexer Wrong Parent
+### Winlogon wrong parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
 ### Wmiprvse Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Opening Of a Password File
+### Winword wrong parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Lsass Wrong Parent
+### Gpscript Suspicious Parent
+  - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
+    
+### Wsmprovhost Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
 ### Smss Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Taskhost Wrong Parent
+### Taskhostw Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Wininit Wrong Parent
+### Searchindexer Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Spoolsv Wrong Parent
+### Winrshost Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Winword wrong parent
+### Wininit Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Userinit Wrong Parent
+### Csrss Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Taskhostw Wrong Parent
+### Explorer Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Gpscript Suspicious Parent
+### Dllhost Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
 ### Searchprotocolhost Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Wsmprovhost Wrong Parent
+### Taskhost Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Csrss Wrong Parent
+### Userinit Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Dllhost Wrong Parent
+### Opening Of a Password File
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
 ### Logonui Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Winlogon wrong parent
-  - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
-    
-### Explorer Wrong Parent
-  - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
-    
-### Winrshost Wrong Parent
+### Lsass Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
 ### Suspicious Network Args In Command Line
@@ -377,12 +383,12 @@ Changelog _last update on 2024-02-29_
 ### Okta User Logged In Multiple Applications
   - 07/08/2023 - major - Switching type from event_count to value_count | Adding Target in order to match only on different Apps
     
-### Microsoft Defender Antivirus Tampering Detected
-  - 07/08/2023 - minor - Rule effort changed from intermediate to advanced considering the number of false positives observed.
-    
 ### Microsoft Defender Antivirus Exclusion Configuration
   - 07/08/2023 - major - Considering the amount of false positives the rule effort has been changed to master. Furthermore a filter has been added.
     
+### Microsoft Defender Antivirus Tampering Detected
+  - 07/08/2023 - minor - Rule effort changed from intermediate to advanced considering the number of false positives observed.
+    
 ### Potential LokiBot User-Agent
   - 04/08/2023 - minor - Added a condition to only match on internal IP as source
     
@@ -395,10 +401,10 @@ Changelog _last update on 2024-02-29_
 ### Wmic Process Call Creation
   - 01/08/2023 - major - Rewritten as a regex to reduce false positives
     
-### Potential DNS Tunnel
+### Correlation Potential DNS Tunnel
   - 19/07/2023 - major - New regex pattern and new filters.
     
-### Correlation Potential DNS Tunnel
+### Potential DNS Tunnel
   - 19/07/2023 - major - New regex pattern and new filters.
     
 ### Privileged AD Builtin Group Modified
@@ -431,27 +437,27 @@ Changelog _last update on 2024-02-29_
 ### Suspicious PowerShell Invocations - Specific
   - 26/05/2023 - minor - Added a filter to the rule as some false positives were observed.
     
-### Internet Scanner Target
-  - 28/04/2023 - minor - Support for standard ECS FW fields
-    
 ### Internet Scanner
   - 28/04/2023 - minor - Support for standard ECS FW fields
     
-### Audio Capture via PowerShell
-  - 18/04/2023 - minor - Use more specific patterns to fix false positives.
+### Internet Scanner Target
+  - 28/04/2023 - minor - Support for standard ECS FW fields
     
 ### Remote Privileged Group Enumeration
   - 18/04/2023 - minor - Exclude events from the Local System session that cause false positives.
     
+### Audio Capture via PowerShell
+  - 18/04/2023 - minor - Use more specific patterns to fix false positives.
+    
 ### LSASS Memory Dump
   - 06/04/2023 - minor - Rule effort has been upgraded to master considering the number of different false positives the rule can trigger.
     
-### Active Directory User Backdoors
-  - 06/04/2023 - minor - Removed a selection as it triggered too many false positives, and the detection was not part of the main goal of this rule.
-    
 ### Mimikatz Basic Commands
   - 06/04/2023 - minor - Added a filter to the rule as many false positives were observed.
     
+### Active Directory User Backdoors
+  - 06/04/2023 - minor - Removed a selection as it triggered too many false positives, and the detection was not part of the main goal of this rule.
+    
 ### Suspicious PowerShell Invocations - Generic
   - 28/03/2023 - minor - Excluded some commonly observed false positives.
     
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
index 1a088daf6b..ae6a901b54 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Rules catalog includes **811 built-in detection rules** ([_last update on 2024-02-29_](rules_changelog.md)).
+Rules catalog includes **811 built-in detection rules** ([_last update on 2024-03-06_](rules_changelog.md)).
 ## Reconnaissance
 **Gather Victim Network Information**
 
@@ -8773,12 +8773,16 @@ Rules catalog includes **811 built-in detection rules** ([_last update on 2024-0
     
     - **Effort:** master
     
-??? abstract "Entra ID Password Compromised By Know Credential Testing Tool"
+??? abstract "Entra ID Password Compromised By Known Credential Testing Tool"
     
     Detects a sign-in that has a correlation ID known to be used by malicious credential testing scripts. Note that even if the sign-in was blocked by MFA (error 50074) or device authentication (error 50097), these verifications only occur after the correct password was submitted. The account's password must still be considered compromised, and be changed.
     
     - **Effort:** elementary
     
+    - **Changelog:**
+    
+        - 05/03/2024 - minor - Rule name error was fixed
+            
 ??? abstract "Fortinet FortiGate Firewall Login In Failure"
     
     Detects failed login attemps on firewall administration rule. Prerequisites, check that the firewall logs format corresponds to the rule
@@ -9311,8 +9315,12 @@ Rules catalog includes **811 built-in detection rules** ([_last update on 2024-0
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
+    
+    - **Changelog:**
     
+        - 06/03/2024 - minor - Effort level was adapted according to the observed hits for the rule
+            
 ??? abstract "Suspicious Headless Web Browser Execution To Download File"
     
     Detects a suspicious command used to execute a Chromium-based web browser (Chrome or Edge) using the headless mode, meaning that the browser window wouldn't be visible, and the dump mode to download a file. This technique can be used to fingerprint the compromised host, in particular by the Ducktail infostealer.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.md
index a6f2b35c7d..30ea2c567f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.md
@@ -181,7 +181,7 @@ The following Sekoia.io built-in rules match the intake **Google Kubernetes Engi
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Malicious Browser Extensions"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md
index 087aac3c14..5d3a12a09b 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md
@@ -409,7 +409,7 @@ The following Sekoia.io built-in rules match the intake **Elastic AuditBeat Linu
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MSBuild Abuse"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
index 1dc3c26ceb..405659dd58 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
@@ -523,7 +523,7 @@ The following Sekoia.io built-in rules match the intake **WithSecure Elements**.
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MSBuild Abuse"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md
index 9230ef8759..4ed93f19d1 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md
@@ -559,7 +559,7 @@ The following Sekoia.io built-in rules match the intake **Microsoft 365 Defender
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MMC Spawning Windows Shell"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
index 7f51456916..a3ce0f9d0a 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
@@ -499,7 +499,7 @@ The following Sekoia.io built-in rules match the intake **Trend Micro Apex One**
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MSBuild Abuse"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md
index f0b9be7ab9..52b8e0ae1c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md
@@ -271,7 +271,7 @@ The following Sekoia.io built-in rules match the intake **SentinelOne EDR**. Thi
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MS Office Product Spawning Exe in User Dir"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
index 757bcd451a..32c98d371b 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
@@ -463,7 +463,7 @@ The following Sekoia.io built-in rules match the intake **Cybereason EDR activit
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MMC Spawning Windows Shell"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md
index 83bd344512..3e5f1b00c2 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md
@@ -217,7 +217,7 @@ The following Sekoia.io built-in rules match the intake **Crowdstrike Falcon Tel
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Malicious Browser Extensions"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.md
index 6ecc365e63..fc9e152aa7 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.md
@@ -181,7 +181,7 @@ The following Sekoia.io built-in rules match the intake **Azure Linux [DEPRECATE
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Malicious Browser Extensions"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md
index 0e83a64b6d..d7ee5eccce 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md
@@ -187,7 +187,7 @@ The following Sekoia.io built-in rules match the intake **RSA SecurID**. This do
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Malicious Browser Extensions"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
index fcfc48bdfc..547cea13ae 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
@@ -589,7 +589,7 @@ The following Sekoia.io built-in rules match the intake **CrowdStrike Falcon**.
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Logonui Wrong Parent"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
index 47aef0a4b5..b456c9cacc 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
@@ -637,7 +637,7 @@ The following Sekoia.io built-in rules match the intake **Azure Windows**. This
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Logonui Wrong Parent"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.md
index 74b1129752..096283a959 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.md
@@ -181,7 +181,7 @@ The following Sekoia.io built-in rules match the intake **VMware ESXi**. This do
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Malicious Browser Extensions"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
index 7eea185730..596f38d65a 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
@@ -685,7 +685,7 @@ The following Sekoia.io built-in rules match the intake **HarfangLab EDR**. This
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Logonui Wrong Parent"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md
index a0726761d0..d8697cda19 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md
@@ -637,7 +637,7 @@ The following Sekoia.io built-in rules match the intake **SentinelOne Cloud Funn
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Load Of dbghelp/dbgcore DLL From Suspicious Process"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
index f4a7e1d6e3..ef202fa24c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
@@ -457,7 +457,7 @@ The following Sekoia.io built-in rules match the intake **Cisco NX-OS**. This do
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MSBuild Abuse"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.md
index ae081bea2c..199feb46f8 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.md
@@ -193,7 +193,7 @@ The following Sekoia.io built-in rules match the intake **Tanium**. This documen
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Malicious Browser Extensions"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md
index 010af3021f..76d0e2d077 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md
@@ -181,7 +181,7 @@ The following Sekoia.io built-in rules match the intake **WALLIX Bastion**. This
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Malicious Browser Extensions"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md
index a08eee97b8..e612df54f5 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md
@@ -403,7 +403,7 @@ The following Sekoia.io built-in rules match the intake **Stormshield SNS**. Thi
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MSBuild Abuse"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md
index eb56f6418d..623c4e8cf2 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md
@@ -631,7 +631,7 @@ The following Sekoia.io built-in rules match the intake **SentinelOne Cloud Funn
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Load Of dbghelp/dbgcore DLL From Suspicious Process"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
index 43f34f46f6..3bb7f34f80 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
@@ -487,7 +487,7 @@ The following Sekoia.io built-in rules match the intake **TEHTRIS EDR**. This do
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MSBuild Abuse"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
index c849b9860b..4a5f9c81e8 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
@@ -1135,7 +1135,7 @@ The following Sekoia.io built-in rules match the intake **Windows**. This docume
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Load Of dbghelp/dbgcore DLL From Suspicious Process"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.md
index db8513f425..71c9d9421e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.md
@@ -397,7 +397,7 @@ The following Sekoia.io built-in rules match the intake **Trellix EDR [ALPHA]**.
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MSBuild Abuse"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
index 989ce28f19..1b7d86d3c9 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
@@ -547,7 +547,7 @@ The following Sekoia.io built-in rules match the intake **Sophos Analysis Threat
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MMC Spawning Windows Shell"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.md
index 65b24849b4..4c7237407f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.md
@@ -469,7 +469,7 @@ The following Sekoia.io built-in rules match the intake **Palo Alto Cortex XDR (
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MSBuild Abuse"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.md
index 17e0aa8153..b26ece94fa 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.md
@@ -379,7 +379,7 @@ The following Sekoia.io built-in rules match the intake **F5 BIG-IP**. This docu
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "LokiBot Default C2 URL"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md
index 908136d764..fafa19f10e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md
@@ -475,7 +475,7 @@ The following Sekoia.io built-in rules match the intake **Trend Micro Cloud One
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MSBuild Abuse"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
index 666b836946..c7ef8eb87c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
@@ -727,7 +727,7 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Logonui Wrong Parent"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md
index 47ae1cbb96..0b4bdf0d9d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md
@@ -117,7 +117,7 @@ The following Sekoia.io built-in rules match the intake **Microsoft 365 / Office
     
     - **Effort:** master
 
-??? abstract "Entra ID Password Compromised By Know Credential Testing Tool"
+??? abstract "Entra ID Password Compromised By Known Credential Testing Tool"
     
     Detects a sign-in that has a correlation ID known to be used by malicious credential testing scripts. Note that even if the sign-in was blocked by MFA (error 50074) or device authentication (error 50097), these verifications only occur after the correct password was submitted. The account's password must still be considered compromised, and be changed.
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.md
index d7c5b89362..d1fef884f9 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ## Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Broadcom Secure Web Gateway [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Broadcom Cloud Secure Web Gateway [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Broadcom Secure Web Gateway [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Broadcom Cloud Secure Web Gateway [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json){ .md-button }
 ??? abstract "Bazar Loader DGA (Domain Generation Algorithm)"
     
     Detects Bazar Loader domains based on the Bazar Loader DGA
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
index e6ba1fe909..bfeec1f026 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
@@ -427,7 +427,7 @@ The following Sekoia.io built-in rules match the intake **IBM AIX**. This docume
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "MSBuild Abuse"
     
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
index 5311c1b696..ab30e46553 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
@@ -595,7 +595,7 @@ The following Sekoia.io built-in rules match the intake **Stormshield SES [BETA]
     
     Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
     
-    - **Effort:** elementary
+    - **Effort:** advanced
 
 ??? abstract "Logonui Wrong Parent"
     
diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
index 24d12c19e6..233ee65b41 100644
--- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md
+++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
@@ -1,6 +1,6 @@
 # Built-in detection rules, EventIDs and EventProviders relations
 SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture.
-This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-02-29_
+This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-03-06_
 
 The colors of the EventIDs in this page should be interpreted as follow:
 
@@ -12,512 +12,535 @@ The colors of the EventIDs in this page should be interpreted as follow:
 ## Rules x Effort Level x EventIDs x Event Providers
 | Rule Name | Effort Level | EventIDs | Event Providers |
 | --------- | ------------ | -------- | --------------- |
-| Putty Sessions Listing | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
-| Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically | master | 64 |  |
+| Microsoft Defender Antivirus Disable Using Registry | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| CVE-2017-11882 Microsoft Office Equation Editor Vulnerability | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
+| MS Office Product Spawning Exe in User Dir | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Windows Registry Persistence COM Key Linking | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| User Added to Local Administrators | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732' style='color: inherit;'>4732</a></span> | Microsoft-Windows-Security-Auditing |
+| NjRat Registry Changes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Admin User RDP Remote Logon | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
+| Netsh Port Opening | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Disable Security Events Logging Adding Reg Key MiniNt | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | List Shadow Copies | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| SCM Database Privileged Operation | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674' style='color: inherit;'>4674</a></span> | Microsoft-Windows-Security-Auditing |
-| AD Privileged Users Or Groups Reconnaissance | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661' style='color: inherit;'>4661</a></span> | Microsoft-Windows-Security-Auditing |
-| Autorun Keys Modification | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span> | Microsoft-Windows-Sysmon |
-| Data Compressed With Rar | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Microsoft Defender for Office 365 Medium Severity AIR Alert | master | 64 |  |
-| Microsoft Defender for Office 365 High Severity AIR Alert | master | 64 |  |
-| Microsoft 365 (Office 365) MCAS Risky IP | master | 98 |  |
 | Net.exe User Account Creation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Remote Registry Management Using Reg Utility | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| SCM Database Handle Failure | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft 365 (Office 365) MCAS New Country | master | 98 |  |
-| Windows Registry Persistence COM Key Linking | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious DLL Loaded Via Office Applications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Account Removed From A Security Enabled Group | master | <span style="color:#D89462">4729</span> | Microsoft-Windows-Security-Auditing |
+| Suspicious PsExec Execution | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Microsoft 365 (Office 365) MCAS Inbox Hiding | master | 98 |  |
+| Registry Checked For Lanmanserver DisableCompression Parameter | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
+| Protected Storage Service Access | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| SCM Database Privileged Operation | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674' style='color: inherit;'>4674</a></span> | Microsoft-Windows-Security-Auditing |
+| Potential RDP Connection To Non-Domain Host | master | <span style="color:#B60016">8001</span> | Microsoft-Windows-NTLM |
+| Microsoft 365 (Office 365) MCAS Repeated Delete | master | 98 |  |
+| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Windows Firewall Changes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| WMIC Loading Scripting Libraries | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| DNS ServerLevelPluginDll Installation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Computer Account Deleted | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743' style='color: inherit;'>4743</a></span> | Microsoft-Windows-Security-Auditing |
+| File Or Folder Permissions Modifications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Sysmon Windows File Block Executable | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>27</a></span> | Microsoft-Windows-Sysmon |
+| Remote Registry Management Using Reg Utility | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
 | Suspicious Access To Sensitive File Extensions | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| NjRat Registry Changes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| TOR Usage Generic Rule | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
-| Abusing Azure Browser SSO | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Malicious PowerShell Commandlets | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Microsoft Defender Antivirus History Deleted | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1013</a></span> | Microsoft-Windows-Windows Defender |
-| CVE-2017-11882 Microsoft Office Equation Editor Vulnerability | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
-| LSASS Access From Non System Account | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
-| Outlook Registry Access | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Microsoft Defender Antivirus Exclusion Command | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Office Creating Suspicious File | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| LSASS Memory Dump | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| Failed Logon Source From Public IP Addresses | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
-| FromBase64String Command Line | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Microsoft 365 Device Code Authentication | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> |  |
-| User Account Created | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft 365 (Office 365) Potential Ransomware Activity Detected | master | 40 |  |
 | User Account Deleted | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726' style='color: inherit;'>4726</a> | Microsoft-Windows-Security-Auditing |
-| Rubeus Register New Logon Process | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611' style='color: inherit;'>4611</a></span> | Microsoft-Windows-Security-Auditing |
-| Potential RDP Connection To Non-Domain Host | master | <span style="color:#B60016">8001</span> | Microsoft-Windows-NTLM |
-| Cobalt Strike Named Pipes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
+| Windows Defender Deactivation Using PowerShell Script | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Execution From Suspicious Folder | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action | master | 64 |  |
+| Remote Monitoring and Management Software - AnyDesk | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Kernel-Process, Microsoft-Windows-DNS-Client |
+| Abusing Azure Browser SSO | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| AD Privileged Users Or Groups Reconnaissance | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661' style='color: inherit;'>4661</a></span> | Microsoft-Windows-Security-Auditing |
+| Microsoft 365 (Office 365) MCAS Risky IP | master | 98 |  |
 | Malware Persistence Registry Key | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Sysmon Windows File Block Executable | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>27</a></span> | Microsoft-Windows-Sysmon |
-| Advanced IP Scanner | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) MCAS Repeated Delete | master | 98 |  |
-| Suspicious DLL Loaded Via Office Applications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Privileged AD Builtin Group Modified | master | <span style="color:#D89462">4727</span>, <span style="color:#D89462">4728</span>, <span style="color:#D89462">4729</span>, <span style="color:#D89462">4730</span>, <span style="color:#D89462">4754</span>, <span style="color:#D89462">4756</span>, <span style="color:#D89462">4757</span>, <span style="color:#D89462">4758</span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4764' style='color: inherit;'>4764</a></span> | Microsoft-Windows-Security-Auditing |
 | Microsoft Defender Antivirus Configuration Changed | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5007</a></span> | Microsoft-Windows-Windows Defender |
+| Microsoft 365 (Office 365) Potential Ransomware Activity Detected | master | 40 |  |
+| Microsoft 365 (Office 365) MCAS Repeated Failed Login | master | 98 |  |
+| Account Added To A Security Enabled Group | master | <span style="color:#D89462">4728</span> | Microsoft-Windows-Security-Auditing |
+| Microsoft Defender for Office 365 High Severity AIR Alert | master | 64 |  |
+| LSASS Access From Non System Account | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
+| User Couldn't Call A Privileged Service LsaRegisterLogonProcess | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673' style='color: inherit;'>4673</a></span> | Microsoft-Windows-Security-Auditing |
+| CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Outlook Registry Access | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| SCM Database Handle Failure | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
+| Microsoft 365 (Office 365) MCAS New Country | master | 98 |  |
+| DNS ServerLevelPluginDll Installation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Credential Dumping-Tools Common Named Pipes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
 | AD User Enumeration | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Computer Account Deleted | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743' style='color: inherit;'>4743</a></span> | Microsoft-Windows-Security-Auditing |
-| WMI DLL Loaded Via Office | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Svchost DLL Search Order Hijack | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
 | xWizard Execution | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| User Account Created | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
+| Microsoft 365 (Office 365) MCAS Detection Velocity | master | 98 |  |
+| Webshell Creation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Sysmon |
+| Advanced IP Scanner | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| LSASS Memory Dump | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| Autorun Keys Modification | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Microsoft Defender Antivirus Exclusion Command | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| FoggyWeb Backdoor DLL Loading | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
 | Stop Backup Services | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Remote Monitoring and Management Software - AnyDesk | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Kernel-Process, Microsoft-Windows-DNS-Client |
-| User Added to Local Administrators | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732' style='color: inherit;'>4732</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft Defender Antivirus Disable Using Registry | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Windows Defender Deactivation Using PowerShell Script | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| MS Office Product Spawning Exe in User Dir | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| User Couldn't Call A Privileged Service LsaRegisterLogonProcess | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673' style='color: inherit;'>4673</a></span> | Microsoft-Windows-Security-Auditing |
-| Usage Of Sysinternals Tools | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Credential Dumping-Tools Common Named Pipes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
-| Registry Checked For Lanmanserver DisableCompression Parameter | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
+| Microsoft Office Creating Suspicious File | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Exclusion Configuration | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5007</a></span> | Microsoft-Windows-Sysmon, Microsoft-Windows-Windows Defender |
+| Failed Logon Source From Public IP Addresses | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
+| In-memory PowerShell | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Network Share Discovery | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus History Deleted | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1013</a></span> | Microsoft-Windows-Windows Defender |
+| Process Herpaderping | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>25</a></span> | Microsoft-Windows-Sysmon |
 | Narrator Feedback-Hub Persistence | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| FoggyWeb Backdoor DLL Loading | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Webshell Creation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Sysmon |
-| Protected Storage Service Access | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft 365 (Office 365) MCAS Repeated Failed Login | master | 98 |  |
-| Suspicious PsExec Execution | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Execution From Suspicious Folder | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Usage Of Sysinternals Tools | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious New Printer Ports In Registry | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Exclusion Configuration | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5007</a></span> | Microsoft-Windows-Sysmon, Microsoft-Windows-Windows Defender |
-| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Account Removed From A Security Enabled Group | master | <span style="color:#D89462">4729</span> | Microsoft-Windows-Security-Auditing |
+| WMI DLL Loaded Via Office | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Malicious PowerShell Commandlets | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Process Hollowing Detection | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>25</a></span> | Microsoft-Windows-Sysmon |
+| FromBase64String Command Line | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Microsoft 365 Device Code Authentication | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> |  |
+| TOR Usage Generic Rule | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
 | Admin Share Access | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140' style='color: inherit;'>5140</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Cobalt Strike Named Pipes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender for Office 365 Medium Severity AIR Alert | master | 64 |  |
+| Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically | master | 64 |  |
+| WMIC Loading Scripting Libraries | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Putty Sessions Listing | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
+| Rubeus Register New Logon Process | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611' style='color: inherit;'>4611</a></span> | Microsoft-Windows-Security-Auditing |
 | DNS Server Error Failed Loading The ServerLevelPluginDLL | master | 150, 770, 771 | Microsoft-Windows-DNS-Server-Service |
-| Disable Security Events Logging Adding Reg Key MiniNt | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) MCAS Inbox Hiding | master | 98 |  |
-| Process Herpaderping | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>25</a></span> | Microsoft-Windows-Sysmon |
-| Network Share Discovery | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Netsh Port Opening | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| File Or Folder Permissions Modifications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) MCAS Detection Velocity | master | 98 |  |
-| Privileged AD Builtin Group Modified | master | <span style="color:#D89462">4727</span>, <span style="color:#D89462">4728</span>, <span style="color:#D89462">4729</span>, <span style="color:#D89462">4730</span>, <span style="color:#D89462">4754</span>, <span style="color:#D89462">4756</span>, <span style="color:#D89462">4757</span>, <span style="color:#D89462">4758</span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4764' style='color: inherit;'>4764</a></span> | Microsoft-Windows-Security-Auditing |
-| Account Added To A Security Enabled Group | master | <span style="color:#D89462">4728</span> | Microsoft-Windows-Security-Auditing |
-| Svchost DLL Search Order Hijack | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| In-memory PowerShell | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action | master | 64 |  |
-| Process Hollowing Detection | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>25</a></span> | Microsoft-Windows-Sysmon |
-| Admin User RDP Remote Logon | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| SAM Registry Hive Handle Request | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Control Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Windows Registry Persistence COM Search Order Hijacking | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Logonui Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| XCopy Suspicious Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Explorer Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Active Directory Replication User Backdoor | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious Windows DNS Queries | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Microsoft-Windows-Sysmon |
+| Logon Scripts (UserInitMprLogonScript) | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Tampering Detected | advanced | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1127</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>2013</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5001</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5010</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5012</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5101</a></span> | Microsoft-Windows-Windows Defender |
+| Permission Discovery Via Wmic | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Control Panel Items | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious desktop.ini Action | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
-| Malicious PowerShell Keywords | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| RDP Sensitive Settings Changed | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Windows Active Directory Module Commandlets | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Microsoft Office Product Spawning Windows Shell | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Hiding Files With Attrib.exe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | AutoIt3 Execution From Suspicious Folder | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Logon Scripts (UserInitMprLogonScript) | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Winword wrong parent | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
-| Adexplorer Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Malicious PowerShell Keywords | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| SAM Registry Hive Handle Request | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
+| Searchindexer Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| AD Object WriteDAC Access | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
+| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
 | Exfiltration Via Pscp | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Winlogon wrong parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| System Network Connections Discovery | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Webshell Execution W3WP Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Wmiprvse Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Download From URL | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Domain Group And Permission Enumeration | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | WMI Event Subscription | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>19</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>20</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>21</a></span> | Microsoft-Windows-Sysmon |
-| Hiding Files With Attrib.exe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Wsmprovhost Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious PowerShell Keywords | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Microsoft Windows Active Directory Module Commandlets | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Rclone Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell EncodedCommand | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Netsh Program Allowed With Suspicious Location | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Non-Legitimate Executable Using AcceptEula Parameter | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Kernel-Process |
 | Disabled IE Security Features | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| External Disk Drive Or USB Storage Device | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416' style='color: inherit;'>6416</a></span> | Microsoft-Windows-Security-Auditing |
+| Wsmprovhost Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Outbound Kerberos Connection | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156' style='color: inherit;'>5156</a></span> | Microsoft-Windows-Security-Auditing |
+| Svchost Modification | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Cmd.exe Command Line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Exfiltration And Tunneling Tools Execution | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Netsh Allow Command | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Smss Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Userinit Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Invoke-Obfuscation Obfuscated IEX Invocation | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Dynwrapx Module Loading | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Taskhostw Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Exploit For CVE-2017-0261 Or CVE-2017-0262 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| RDP Session Discovery | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Svchost Wrong Parent | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious PROCEXP152.sys File Created In Tmp | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| CreateRemoteThread Common Process Injection | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span> | Microsoft-Windows-Sysmon |
+| Python Opening Ports | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5154' style='color: inherit;'>5154</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious Control Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| AzureEdge in Command Line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| NTDS.dit File In Suspicious Directory | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Metasploit PSExec Service Creation | advanced | <span style="color:#B60016">7045</span> | Service Control Manager |
+| Legitimate Process Execution From Unusual Folder | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious PrinterPorts Creation (CVE-2020-1048) | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
 | Telegram Bot API Request | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Microsoft-Windows-Sysmon |
+| Cmd.exe Used To Run Reconnaissance Commands | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerView commandlets 2 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Rubeus Tool Command-line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious XOR Encoded PowerShell Command Line | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Windows Registry Persistence COM Search Order Hijacking | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Wininit Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | PowerShell Malicious Nishang PowerShell Commandlets | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Remote Service Activity Via SVCCTL Named Pipe | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| ACLight Discovering Privileged Accounts | advanced | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
+| Dism Disabling Windows Defender | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| PsExec Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Sysmon, Service Control Manager |
+| New Service Creation | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Spoolsv Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | WiFi Credentials Harvesting Using Netsh | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| RDP Login From Localhost | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| RDP Session Discovery | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Legitimate Process Execution From Unusual Folder | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Threat Detected | advanced | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1006</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1007</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1008</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1015</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1117</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1118</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1119</a></span>, 1125, 1126 | Microsoft-Windows-Windows Defender |
+| Suspicious Double Extension | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious ADSI-Cache Usage By Unknown Tool | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Explorer Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Threat Detected | advanced | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1006</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1007</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1008</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1015</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1117</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1118</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1119</a></span>, 1125, 1126 | Microsoft-Windows-Windows Defender |
+| Adidnsdump Enumeration | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Kernel-File, Microsoft-Windows-Security-Auditing |
+| Suspicious PowerShell Keywords | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Taskhost or Taskhostw Suspicious Child Found | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Unsigned Image Loaded Into LSASS Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| NlTest Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Credentials Extraction | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Lsass Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Powershell Web Request | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| System Network Connections Discovery | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| WMI Persistence Script Event Consumer File Write | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Account Tampering - Suspicious Failed Logon Reasons | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776' style='color: inherit;'>4776</a></span> | Microsoft-Windows-Security-Auditing |
+| Rare Logonui Child Found | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Change Default File Association | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Dllhost Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Wininit Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Domain Trust Created Or Removed | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706' style='color: inherit;'>4706</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707' style='color: inherit;'>4707</a></span> | Microsoft-Windows-Security-Auditing |
+| Certify Or Certipy | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Alternate PowerShell Hosts Pipe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
+| Logonui Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| XCopy Suspicious Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Userinit Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Winlogon wrong parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Winword wrong parent | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
+| Remote Service Activity Via SVCCTL Named Pipe | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Csrss Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Default Encoding To UTF-8 PowerShell | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Credential Prompt | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Active Directory Replication from Non Machine Account | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
+| ACLight Discovering Privileged Accounts | advanced | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
 | AccCheckConsole Executing Dll | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Taskhostw Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| RDP Sensitive Settings Changed | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | PowerView commandlets 1 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Taskhost Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Lateral Movement - Remote Named Pipe | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Rclone Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell - NTFS Alternate Data Stream | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Domain Trust Created Or Removed | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706' style='color: inherit;'>4706</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707' style='color: inherit;'>4707</a></span> | Microsoft-Windows-Security-Auditing |
+| PowerShell Data Compressed | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Mimikatz LSASS Memory Access | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Regsvr32 Execution | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Winrshost Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Office Product Spawning Windows Shell | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Csrss Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Default Encoding To UTF-8 PowerShell | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PsExec Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Sysmon, Service Control Manager |
-| NTDS.dit File In Suspicious Directory | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Dism Disabling Windows Defender | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| PowerShell Download From URL | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Netsh Program Allowed With Suspicious Location | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Tampering Detected | advanced | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1127</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>2013</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5001</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5010</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5012</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5101</a></span> | Microsoft-Windows-Windows Defender |
+| Dynwrapx Module Loading | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious Regasm Regsvcs Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Spoolsv Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Certify Or Certipy | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Suspicious PROCEXP152.sys File Created In Tmp | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| NlTest Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Credential Prompt | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Permission Discovery Via Wmic | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| New Service Creation | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Searchindexer Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Netsh Allow Command | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Exfiltration And Tunneling Tools Execution | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Svchost Wrong Parent | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
-| Taskhost or Taskhostw Suspicious Child Found | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious PrinterPorts Creation (CVE-2020-1048) | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| Python Opening Ports | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5154' style='color: inherit;'>5154</a></span> | Microsoft-Windows-Security-Auditing |
-| Active Directory Replication User Backdoor | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| WMI Persistence Script Event Consumer File Write | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell EncodedCommand | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerView commandlets 2 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Active Directory Replication from Non Machine Account | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Exploit For CVE-2017-0261 Or CVE-2017-0262 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| AzureEdge in Command Line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Rare Logonui Child Found | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Metasploit PSExec Service Creation | advanced | <span style="color:#B60016">7045</span> | Service Control Manager |
-| Mimikatz LSASS Memory Access | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| Lsass Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Domain Group And Permission Enumeration | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Change Default File Association | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Cmd.exe Used To Run Reconnaissance Commands | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Wmiprvse Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Outbound Kerberos Connection | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156' style='color: inherit;'>5156</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Cmd.exe Command Line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Invoke-Obfuscation Obfuscated IEX Invocation | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
 | Powershell AMSI Bypass | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Webshell Execution W3WP Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Adidnsdump Enumeration | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Kernel-File, Microsoft-Windows-Security-Auditing |
-| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Unsigned Image Loaded Into LSASS Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Windows DNS Queries | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Microsoft-Windows-Sysmon |
-| Non-Legitimate Executable Using AcceptEula Parameter | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Kernel-Process |
-| PowerShell Data Compressed | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Credentials Extraction | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Powershell Web Request | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Rubeus Tool Command-line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| AD Object WriteDAC Access | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Account Tampering - Suspicious Failed Logon Reasons | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776' style='color: inherit;'>4776</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Double Extension | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
-| Control Panel Items | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Svchost Modification | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Alternate PowerShell Hosts Pipe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell - NTFS Alternate Data Stream | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Adexplorer Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| External Disk Drive Or USB Storage Device | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416' style='color: inherit;'>6416</a></span> | Microsoft-Windows-Security-Auditing |
 | Searchprotocolhost Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| CreateRemoteThread Common Process Injection | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious XOR Encoded PowerShell Command Line | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Taskhost Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Regsvr32 Execution | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| RDP Login From Localhost | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
 | Remote Privileged Group Enumeration | advanced | 4799 |  |
-| Gpscript Suspicious Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Remote Task Creation Via ATSVC Named Pipe | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Explorer Process Executing HTA File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Searchprotocolhost Child Found | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 Email Forwarding To Consumer Email Address | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
-| Schtasks Suspicious Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Hostname | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| Suspicious Mshta Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Disable Services | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| BazarLoader Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| CMSTP Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Commonly Used Commands To Stop Services And Remove Backups | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious DNS Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Bloodhound and Sharphound Tools Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Wmic Service Call | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Transfering Files With Credential Data Via Network Shares | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| OceanLotus Registry Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Cobalt Strike Default Beacons Names | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Desktopimgdownldr Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Ngrok Process Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| MSBuild Abuse | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
-| WMIC Uninstall Product | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| MalwareBytes Uninstallation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Office Spawning Script | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) AtpDetection | intermediate | 47 |  |
-| Suspicious Network Args In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| Reconnaissance Commands Activities | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Powershell UploadString Function | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Active Directory Delegate To KRBTGT Service | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738' style='color: inherit;'>4738</a></span> | Microsoft-Windows-Security-Auditing |
 | Mshta Suspicious Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| HackTools Suspicious Process Names In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| WMIC Command To Determine The Antivirus | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Generic-reverse-shell-oneliner | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Kernel-Network |
-| Exchange Server Creating Unusual Files | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Network Connection Via Certutil | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
-| Possible RottenPotato Attack | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| WMImplant Hack Tool | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Cred Dump Tools Dropped Files | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious PowerShell Invocations - Specific | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious certutil command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious SAM Dump | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>16</a></span> | Microsoft-Windows-Kernel-General |
-| KeePass Config XML In Command-Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 Email Forwarding To Email Address With Rare TLD | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
-| Network Sniffing Windows | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) Malware Uploaded On SharePoint | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span> |  |
-| DCSync Attack | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft Defender Antivirus Restoration Abuse | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| QakBot Process Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Remote Task Creation Via ATSVC Named Pipe | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
 | Possible Replay Attack | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649' style='color: inherit;'>4649</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft Defender Antivirus Disable SecurityHealth | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Suspicious PowerShell Invocations - Generic | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Disable .NET ETW Through COMPlus_ETWEnabled | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious PowerShell Invocations - Specific | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Rare Lsass Child Found | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Pandemic Windows Implant | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| NetSh Used To Disable Windows Firewall | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Finger Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Denied Access To Remote Desktop | intermediate | 4825 | Microsoft-Windows-Security-Auditing |
+| Csrss Child Found | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| MOFComp Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Execution Via Rundll32 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Clear EventLogs Through CommandLine | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Hijack Legit RDP Session To Move Laterally | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Exploiting SetupComplete.cmd CVE-2019-1378 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| New Or Renamed User Account With '$' In Attribute 'SamAccountName' | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
+| Backup Catalog Deleted | intermediate | 524 | Microsoft-Windows-Backup |
+| Network Connection Via Certutil | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
 | SolarWinds Wrong Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Spyware Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| GPO Executable Delivery | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| WCE wceaux.dll Creation | intermediate | 30 | Microsoft-Windows-Kernel-File |
+| Microsoft Defender Antivirus Disable SecurityHealth | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Lsass Access Through WinRM | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 Email Forwarding To Consumer Email Address | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
+| Bloodhound and Sharphound Tools Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Successful Overpass The Hash Attempt | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
 | Audio Capture via PowerShell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| DC Shadow via Service Principal Name (SPN) creation | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742' style='color: inherit;'>4742</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| Creation or Modification of a GPO Scheduled Task | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Malicious Named Pipe | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
+| Network Sniffing Windows | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
 | XSL Script Processing And SquiblyTwo Attack | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Hijack Legit RDP Session To Move Laterally | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious DLL side loading from ProgramData | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| UAC Bypass Using Fodhelper | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Rare Lsass Child Found | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Disable .NET ETW Through COMPlus_ETWEnabled | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Qakbot Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Remote Enumeration of Lateral Movement Groups | intermediate | 4799 | Microsoft-Windows-Security-Auditing |
-| Capture a network trace with netsh.exe | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious Mshta Execution From Wmi | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| SOCKS Tunneling Tool | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| DNS Exfiltration and Tunneling Tools Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| DHCP Server Error Failed Loading the CallOut DLL | intermediate | 1031, 1032, 1033, 1034 | Microsoft-Windows-DHCP-Server |
-| Exchange Server Spawning Suspicious Processes | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Taskkill Command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Netsh RDP Port Opening | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Malware Protection Engine Crash | intermediate | 1000 | Application Error |
-| Suspicious Outlook Child Process | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
-| Data Compressed With Rar With Password | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Registry Key Used By Some Old Agent Tesla Samples | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| GPO Executable Delivery | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Cobalt Strike Default Beacons Names | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| Powershell Winlogon Helper DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
 | CMSTP UAC Bypass via COM Object Access | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Csrss Child Found | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| LSASS Memory Dump File Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Rundll32.exe Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| High Privileges Network Share Removal | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| Disable Windows Defender Credential Guard | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| New DLL Added To AppCertDlls Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Netsh Allowed Python Program | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Formbook Hijacked Process Command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious PowerShell Invocations - Generic | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| MavInject Process Injection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Sysprep On AppData Folder | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Password Change On Directory Service Restore Mode (DSRM) Account | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794' style='color: inherit;'>4794</a></span> | Microsoft-Windows-Security-Auditing |
+| Active Directory User Backdoors | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Phosphorus Domain Controller Discovery | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| CMSTP Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Windows Script Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Suspicious Hostname | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
+| MMC Spawning Windows Shell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| DNS Exfiltration and Tunneling Tools Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Data Compressed With Rar With Password | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Impacket Secretsdump.py Tool | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| DHCP Server Error Failed Loading the CallOut DLL | intermediate | 1031, 1032, 1033, 1034 | Microsoft-Windows-DHCP-Server |
 | Werfault DLL Injection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| NetSh Used To Disable Windows Firewall | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Network Args In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| SquirrelWaffle Malspam Execution Loading DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| OneNote Embedded File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
 | Microsoft Defender Antivirus Disable Scheduled Tasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| DPAPI Domain Backup Key Extraction | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Phosphorus Domain Controller Discovery | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| IIS Module Installation Using AppCmd | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Generic-reverse-shell-oneliner | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Kernel-Network |
+| Exchange Mailbox Export | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Suspicious LDAP-Attributes Used | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| MSBuild Abuse | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Rundll32.exe Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| Schtasks Suspicious Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | COM Hijack Via Sdclt | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Eventlog Cleared | intermediate | 517, <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102' style='color: inherit;'>1102</a> | Microsoft-Windows-Eventlog |
-| Impacket Secretsdump.py Tool | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Windows Installer Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| BazarLoader Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Formbook File Creation DB1 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| DCSync Attack | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
 | DLL Load via LSASS Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious CodePage Switch with CHCP | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Reconnaissance Commands Activities | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
 | Venom Multi-hop Proxy agent detection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Microsoft 365 (Office 365) Malware Uploaded On OneDrive | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span> |  |
-| Wmic Process Call Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Execution Via Rundll32 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Chafer (APT 39) Activity | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Service Control Manager |
-| Suspicious Windows Script Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| STRRAT Scheduled Task | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Secure Deletion With SDelete | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658' style='color: inherit;'>4658</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
+| Inhibit System Recovery Deleting Backups | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Possible RottenPotato Attack | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
+| Wmic Service Call | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| DPAPI Domain Backup Key Extraction | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
 | Copy Of Legitimate System32 Executable | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Exchange Mailbox Export | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Password Dumper Activity On LSASS | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
+| HackTools Suspicious Process Names In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Disable Services | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Trickbot Malware Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| SOCKS Tunneling Tool | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| High Privileges Network Share Removal | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| Suspicious Process Requiring DLL Starts Without DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | DHCP Callout DLL Installation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Credential Dumping Tools Service Execution | intermediate | <span style="color:#B60016">7045</span> | Service Control Manager |
+| Gpscript Suspicious Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| STRRAT Scheduled Task | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Mshta Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | RDP Port Change Using Powershell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Usage Of Procdump With Common Arguments | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Inhibit System Recovery Deleting Backups | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Exfiltration Domain In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Sliver DNS Beaconing | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Microsoft-Windows-Sysmon |
-| Successful Overpass The Hash Attempt | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| Impacket Addcomputer | intermediate | 4741 | Microsoft-Windows-Security-Auditing |
-| Clear EventLogs Through CommandLine | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| TUN/TAP Driver Installation | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
+| Microsoft 365 Email Forwarding To Email Address With Rare TLD | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
 | Grabbing Sensitive Hives Via Reg Utility | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| Suspicious Scripting In A WMI Consumer | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>20</a></span> | Microsoft-Windows-Sysmon |
-| Formbook File Creation DB1 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Exploiting SetupComplete.cmd CVE-2019-1378 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Python HTTP Server | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Detection of default Mimikatz banner | intermediate | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
-| Registry Key Used By Some Old Agent Tesla Samples | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| NetNTLM Downgrade Attack | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657' style='color: inherit;'>4657</a></span> | Microsoft-Windows-Sysmon |
-| Antivirus Relevant File Paths Alerts | intermediate | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
+| Microsoft Malware Protection Engine Crash | intermediate | 1000 | Application Error |
+| Formbook Hijacked Process Command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Wmic Process Call Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| SolarWinds Suspicious File Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Taskkill Command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspect Svchost Memory Access | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| WMIC Uninstall Product | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| UAC Bypass via Event Viewer | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| MMC20 Lateral Movement | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious DLL Loading By Ordinal | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Ryuk Ransomware Persistence Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| StoneDrill Service Install | intermediate | <span style="color:#B60016">7045</span> | Service Control Manager |
-| Lsass Access Through WinRM | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| Python HTTP Server | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 (Office 365) AtpDetection | intermediate | 47 |  |
+| Malicious Named Pipe | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Outlook Child Process | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
+| LSASS Memory Dump File Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Creation or Modification of a GPO Scheduled Task | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious DNS Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | PowerCat Function Loading | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Suspicious Windows Installer Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| MalwareBytes Uninstallation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| CertOC Loading Dll | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| NTDS.dit File Interaction Through Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Usage Of Procdump With Common Arguments | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| KeePass Config XML In Command-Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Desktopimgdownldr Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| OceanLotus Registry Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious Driver Loaded | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Scheduled Task Creation | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspect Svchost Memory Access | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious DLL Loading By Ordinal | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Active Directory Delegate To KRBTGT Service | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738' style='color: inherit;'>4738</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Finger Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious CodePage Switch with CHCP | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| SquirrelWaffle Malspam Execution Loading DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Cmdkey Cached Credentials Recon | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Pandemic Windows Implant | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious LDAP-Attributes Used | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| IIS Module Installation Using AppCmd | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| New Or Renamed User Account With '$' In Attribute 'SamAccountName' | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Process Requiring DLL Starts Without DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| WCE wceaux.dll Creation | intermediate | 30 | Microsoft-Windows-Kernel-File |
-| OneNote Embedded File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
-| Trickbot Malware Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Disable Windows Defender Credential Guard | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Cred Dump Tools Dropped Files | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| WMIC Command To Determine The Antivirus | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Microsoft 365 (Office 365) Malware Uploaded On OneDrive | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span> |  |
+| Detection of default Mimikatz banner | intermediate | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
+| Remote Enumeration of Lateral Movement Groups | intermediate | 4799 | Microsoft-Windows-Security-Auditing |
+| Microsoft Defender Antivirus Restoration Abuse | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Ngrok Process Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| UAC Bypass Using Fodhelper | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Exchange Server Spawning Suspicious Processes | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Credential Dumping Tools Service Execution | intermediate | <span style="color:#B60016">7045</span> | Service Control Manager |
+| QakBot Process Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| StoneDrill Service Install | intermediate | <span style="color:#B60016">7045</span> | Service Control Manager |
+| New DLL Added To AppCertDlls Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Searchprotocolhost Child Found | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Transfering Files With Credential Data Via Network Shares | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| TUN/TAP Driver Installation | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
+| Commonly Used Commands To Stop Services And Remove Backups | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious Cmd File Copy Command To Network Share | intermediate | 30 | Microsoft-Windows-Kernel-File |
-| NTDS.dit File Interaction Through Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Password Change On Directory Service Restore Mode (DSRM) Account | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794' style='color: inherit;'>4794</a></span> | Microsoft-Windows-Security-Auditing |
-| MOFComp Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| CertOC Loading Dll | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| UAC Bypass via Event Viewer | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Denied Access To Remote Desktop | intermediate | 4825 | Microsoft-Windows-Security-Auditing |
-| Active Directory User Backdoors | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| Powershell Winlogon Helper DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Secure Deletion With SDelete | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658' style='color: inherit;'>4658</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
-| MMC20 Lateral Movement | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Exchange Server Creating Unusual Files | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
 | ETW Tampering | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| SolarWinds Suspicious File Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Powershell UploadString Function | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Backup Catalog Deleted | intermediate | 524 | Microsoft-Windows-Backup |
-| MMC Spawning Windows Shell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| NetNTLM Downgrade Attack | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657' style='color: inherit;'>4657</a></span> | Microsoft-Windows-Sysmon |
+| Chafer (APT 39) Activity | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Service Control Manager |
+| Spyware Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Office Spawning Script | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Scheduled Task Creation | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
+| Qakbot Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Netsh Allowed Python Program | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious DLL side loading from ProgramData | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Exfiltration Domain In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| WMImplant Hack Tool | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| MavInject Process Injection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Scripting In A WMI Consumer | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>20</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious SAM Dump | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>16</a></span> | Microsoft-Windows-Kernel-General |
+| Sysprep On AppData Folder | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Impacket Addcomputer | intermediate | 4741 | Microsoft-Windows-Security-Auditing |
+| DC Shadow via Service Principal Name (SPN) creation | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742' style='color: inherit;'>4742</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Password Dumper Activity On LSASS | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
+| Capture a network trace with netsh.exe | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Explorer Process Executing HTA File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 (Office 365) Malware Uploaded On SharePoint | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span> |  |
+| Eventlog Cleared | intermediate | 517, <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102' style='color: inherit;'>1102</a> | Microsoft-Windows-Eventlog |
+| Cmdkey Cached Credentials Recon | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Sliver DNS Beaconing | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious certutil command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Antivirus Relevant File Paths Alerts | intermediate | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
 | DHCP Server Loaded the CallOut DLL | intermediate | 1033 |  |
-| APT29 Fake Google Update Service Install | elementary | <span style="color:#B60016">7045</span> | Service Control Manager |
+| Invoke-TheHash Commandlets | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Process Memory Dump Using Rdrleakdiag | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| UAC Bypass Via Sdclt | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Credential Dumping By LaZagne | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| Impacket Wmiexec Module | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Malicious Service Installations | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
+| FlowCloud Malware | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 Sign-in With No User Agent | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> |  |
+| Disable Workstation Lock | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Active Directory Database Dump Via Ntdsutil | elementary | 325 | ESENT |
+| Exploited CVE-2020-10189 Zoho ManageEngine | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| DNS Tunnel Technique From MuddyWater | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| SysKey Registry Keys Access | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
 | Ursnif Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Headless Web Browser Execution To Download File | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Invoke-TheHash Commandlets | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Phosphorus (APT35) Exchange Discovery | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Microsoft 365 Suspicious Inbox Rule | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
-| FlowCloud Malware | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Msdt (Follina) File Browse Process Execution | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Meterpreter or Cobalt Strike Getsystem Service Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager |
-| Wdigest Enable UseLogonCredential | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Copying Browser Files With Credentials | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Disable Task Manager Through Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Turla Named Pipes | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
+| HackTools Suspicious Names | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon |
 | SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704' style='color: inherit;'>4704</a></span> | Microsoft-Windows-Security-Auditing |
-| Leviathan Registry Key Activity | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Headless Web Browser Execution To Download File | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Suspicious Netsh DLL Persistence | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Downgrade Attack | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Smbexec.py Service Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
 | Suspicious HWP Child Process | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Disable Workstation Lock | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious VBS Execution Parameter | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Raccine Uninstall | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| WMI Install Of Binary | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Copying Sensitive Files With Credential Data | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Windows Credential Editor Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| OneNote Suspicious Children Process | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| Winword Document Droppers | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| CVE-2019-0708 Scan | elementary | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
+| Suspicious Windows ANONYMOUS LOGON Local Account Created | elementary | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
+| Domain Trust Discovery Through LDAP | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-REDACTED-Security-Auditing, Microsoft-Windows-Sysmon |
+| Disable Task Manager Through Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Phorpiex DriveMgr Command | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Antivirus Password Dumper Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
+| Netsh RDP Port Forwarding | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| WMI Persistence Command Line Event Consumer | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Equation Group DLL_U Load | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Wdigest Enable UseLogonCredential | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus History Directory Deleted | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | TrustedInstaller Impersonation | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Microsoft Entra ID (Azure AD) Domain Trust Modification | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span> |  |
+| RTLO Character | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
 | Elise Backdoor | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Audit CVE Event | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Audit-CVE |
-| Suncrypt Parameters | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Phosphorus (APT35) Exchange Discovery | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Mshta JavaScript Execution | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Antivirus Exploitation Framework Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
-| Antivirus Web Shell Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
-| IcedID Execution Using Excel | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Netsh RDP Port Forwarding | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Domain Trust Discovery Through LDAP | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-REDACTED-Security-Auditing, Microsoft-Windows-Sysmon |
-| Antivirus Password Dumper Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
-| Smbexec.py Service Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
+| Audit CVE Event | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Audit-CVE |
+| Sticky Key Like Backdoor Usage | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Ryuk Ransomware Command Line | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Process Memory Dump Using Comsvcs | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| RedMimicry Winnti Playbook Registry Manipulation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Phorpiex DriveMgr Command | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| RTLO Character | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
-| Turla Named Pipes | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
-| Malicious Service Installations | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
-| Malspam Execution Registering Malicious DLL | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
 | Active Directory Shadow Credentials | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| OneNote Suspicious Children Process | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Downgrade Attack | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Lazarus Loaders | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Impacket Wmiexec Module | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Windows Update LolBins | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| RedMimicry Winnti Playbook Dropped File | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Winword Document Droppers | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| DNS Tunnel Technique From MuddyWater | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Dumpert LSASS Process Dumper | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Signatures Removed With MpCmdRun | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Mustang Panda Dropper | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Process Memory Dump Using Createdump | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Security Support Provider (SSP) Added to LSA Configuration | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| WMI Install Of Binary | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | ICacls Granting Access To All | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Empire Monkey Activity | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Leviathan Registry Key Activity | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| AdFind Usage | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Process Memory Dump Using Comsvcs | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Debugging Software Deactivation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Raccine Uninstall | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Meterpreter or Cobalt Strike Getsystem Service Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager |
+| IcedID Execution Using Excel | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Mustang Panda Dropper | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Mimikatz Basic Commands | elementary | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
 | Schtasks Persistence With High Privileges | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 Email Forwarding To Privacy Email Address | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
+| PowerShell AMSI Deactivation Bypass Using .NET Reflection | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| RedMimicry Winnti Playbook Dropped File | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 Suspicious Inbox Rule | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
+| Lazarus Loaders | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Office Startup Add-In | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Msdt (Follina) File Browse Process Execution | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
 | Blue Mockingbird Malware | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus History Directory Deleted | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Active Directory Database Dump Via Ntdsutil | elementary | 325 | ESENT |
-| Phorpiex Process Masquerading | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Debugging Software Deactivation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Windows ANONYMOUS LOGON Local Account Created | elementary | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
-| AdFind Usage | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| UAC Bypass Via Sdclt | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| CVE-2019-0708 Scan | elementary | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
-| Cobalt Strike Default Service Creation Usage | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Service Control Manager |
-| Entra ID Password Compromised By Know Credential Testing Tool | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> |  |
-| PasswordDump SecurityXploded Tool | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Entra ID (Azure AD) Domain Trust Modification | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span> |  |
+| Security Support Provider (SSP) Added to LSA Configuration | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Exploit For CVE-2015-1641 | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Sticky Key Like Backdoor Usage | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 Sign-in With No User Agent | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> |  |
-| Suspicious Netsh DLL Persistence | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Exploited CVE-2020-10189 Zoho ManageEngine | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell AMSI Deactivation Bypass Using .NET Reflection | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| SysKey Registry Keys Access | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
-| Equation Group DLL_U Load | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| APT29 Fake Google Update Service Install | elementary | <span style="color:#B60016">7045</span> | Service Control Manager |
+| RedMimicry Winnti Playbook Registry Manipulation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Process Memory Dump Using Createdump | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Malspam Execution Registering Malicious DLL | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Phorpiex Process Masquerading | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Copying Browser Files With Credentials | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious VBS Execution Parameter | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Signatures Removed With MpCmdRun | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Antivirus Web Shell Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
+| Entra ID Password Compromised By Known Credential Testing Tool | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> |  |
 | Office Application Startup Office Test | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| HackTools Suspicious Names | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon |
-| Windows Credential Editor Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Mshta JavaScript Execution | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Process Memory Dump Using Rdrleakdiag | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Credential Dumping By LaZagne | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| WMI Persistence Command Line Event Consumer | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Office Startup Add-In | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Mimikatz Basic Commands | elementary | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
-| Empire Monkey Activity | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 Email Forwarding To Privacy Email Address | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
+| Copying Sensitive Files With Credential Data | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PasswordDump SecurityXploded Tool | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suncrypt Parameters | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Windows Update LolBins | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Cobalt Strike Default Service Creation Usage | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Service Control Manager |
 
 ## EventIDs occurences in rules
-| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 451) |
+| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 450) |
 | ------- | ------------------------- | ------------------------------------------------------ |
-| 1 | 221 | 49.0 % |
-| 13 | 45 | 9.98 % |
-| 4104 | 43 | 9.53 % |
-| 11 | 20 | 4.43 % |
+| 1 | 220 | 48.89 % |
+| 13 | 45 | 10.0 % |
+| 4104 | 43 | 9.56 % |
+| 11 | 20 | 4.44 % |
 | 5 | 15 | 3.33 % |
 | 7 | 15 | 3.33 % |
-| 7045 | 11 | 2.44 % |
 | 5145 | 11 | 2.44 % |
-| 4656 | 8 | 1.77 % |
-| 15 | 8 | 1.77 % |
-| 3 | 7 | 1.55 % |
-| 4688 | 7 | 1.55 % |
-| 4663 | 6 | 1.33 % |
+| 7045 | 11 | 2.44 % |
+| 15 | 8 | 1.78 % |
+| 4656 | 8 | 1.78 % |
+| 3 | 7 | 1.56 % |
+| 4688 | 7 | 1.56 % |
+| 5136 | 6 | 1.33 % |
+| 10 | 6 | 1.33 % |
+| 4697 | 6 | 1.33 % |
 | 98 | 6 | 1.33 % |
+| 4663 | 6 | 1.33 % |
 | 17 | 6 | 1.33 % |
-| 4697 | 6 | 1.33 % |
 | 4662 | 6 | 1.33 % |
-| 10 | 6 | 1.33 % |
-| 5136 | 6 | 1.33 % |
 | 4624 | 5 | 1.11 % |
 | 1116 | 5 | 1.11 % |
-| 64 | 4 | 0.89 % |
 | 22 | 4 | 0.89 % |
+| 64 | 4 | 0.89 % |
 | 12 | 3 | 0.67 % |
+| 4720 | 3 | 0.67 % |
 | 6 | 3 | 0.67 % |
 | 4625 | 3 | 0.67 % |
-| 4720 | 3 | 0.67 % |
 | 4103 | 3 | 0.67 % |
+| 4729 | 2 | 0.44 % |
+| 30 | 2 | 0.44 % |
 | 20 | 2 | 0.44 % |
-| 4799 | 2 | 0.44 % |
 | 1033 | 2 | 0.44 % |
-| 5007 | 2 | 0.44 % |
-| 4729 | 2 | 0.44 % |
-| 25 | 2 | 0.44 % |
 | 8 | 2 | 0.44 % |
-| 30 | 2 | 0.44 % |
 | 4728 | 2 | 0.44 % |
+| 5007 | 2 | 0.44 % |
+| 4799 | 2 | 0.44 % |
+| 25 | 2 | 0.44 % |
+| 4738 | 1 | 0.22 % |
+| 4732 | 1 | 0.22 % |
+| 4649 | 1 | 0.22 % |
+| 1127 | 1 | 0.22 % |
+| 5001 | 1 | 0.22 % |
+| 5101 | 1 | 0.22 % |
+| 5010 | 1 | 0.22 % |
+| 5012 | 1 | 0.22 % |
+| 2013 | 1 | 0.22 % |
+| 325 | 1 | 0.22 % |
+| 4825 | 1 | 0.22 % |
+| 524 | 1 | 0.22 % |
 | 4674 | 1 | 0.22 % |
-| 4661 | 1 | 0.22 % |
 | 4704 | 1 | 0.22 % |
-| 47 | 1 | 0.22 % |
+| 8001 | 1 | 0.22 % |
+| 4794 | 1 | 0.22 % |
 | 19 | 1 | 0.22 % |
 | 21 | 1 | 0.22 % |
-| 16 | 1 | 0.22 % |
-| 6416 | 1 | 0.22 % |
-| 1013 | 1 | 0.22 % |
-| 4649 | 1 | 0.22 % |
-| 4742 | 1 | 0.22 % |
-| 40 | 1 | 0.22 % |
+| 4743 | 1 | 0.22 % |
+| 5156 | 1 | 0.22 % |
+| 1032 | 1 | 0.22 % |
+| 1034 | 1 | 0.22 % |
+| 1031 | 1 | 0.22 % |
+| 27 | 1 | 0.22 % |
+| 5154 | 1 | 0.22 % |
 | 4726 | 1 | 0.22 % |
-| 4611 | 1 | 0.22 % |
+| 4661 | 1 | 0.22 % |
+| 4658 | 1 | 0.22 % |
+| 4754 | 1 | 0.22 % |
+| 4756 | 1 | 0.22 % |
+| 4757 | 1 | 0.22 % |
+| 4758 | 1 | 0.22 % |
+| 4727 | 1 | 0.22 % |
+| 4730 | 1 | 0.22 % |
+| 4764 | 1 | 0.22 % |
+| 40 | 1 | 0.22 % |
+| 1000 | 1 | 0.22 % |
+| 4673 | 1 | 0.22 % |
 | 1125 | 1 | 0.22 % |
 | 1126 | 1 | 0.22 % |
 | 1006 | 1 | 0.22 % |
@@ -527,76 +550,52 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | 1117 | 1 | 0.22 % |
 | 1118 | 1 | 0.22 % |
 | 1119 | 1 | 0.22 % |
-| 8001 | 1 | 0.22 % |
-| 27 | 1 | 0.22 % |
-| 1032 | 1 | 0.22 % |
-| 1034 | 1 | 0.22 % |
-| 1031 | 1 | 0.22 % |
+| 47 | 1 | 0.22 % |
+| 4776 | 1 | 0.22 % |
+| 1013 | 1 | 0.22 % |
+| 4657 | 1 | 0.22 % |
 | 4706 | 1 | 0.22 % |
 | 4707 | 1 | 0.22 % |
-| 1000 | 1 | 0.22 % |
-| 4743 | 1 | 0.22 % |
-| 4732 | 1 | 0.22 % |
+| 5140 | 1 | 0.22 % |
+| 16 | 1 | 0.22 % |
+| 4741 | 1 | 0.22 % |
+| 4742 | 1 | 0.22 % |
 | 517 | 1 | 0.22 % |
 | 1102 | 1 | 0.22 % |
-| 1127 | 1 | 0.22 % |
-| 5001 | 1 | 0.22 % |
-| 5101 | 1 | 0.22 % |
-| 5010 | 1 | 0.22 % |
-| 5012 | 1 | 0.22 % |
-| 2013 | 1 | 0.22 % |
-| 4673 | 1 | 0.22 % |
-| 325 | 1 | 0.22 % |
-| 5154 | 1 | 0.22 % |
-| 4741 | 1 | 0.22 % |
-| 5140 | 1 | 0.22 % |
+| 6416 | 1 | 0.22 % |
+| 4611 | 1 | 0.22 % |
 | 770 | 1 | 0.22 % |
 | 771 | 1 | 0.22 % |
 | 150 | 1 | 0.22 % |
-| 4657 | 1 | 0.22 % |
-| 5156 | 1 | 0.22 % |
-| 4738 | 1 | 0.22 % |
-| 4776 | 1 | 0.22 % |
-| 4754 | 1 | 0.22 % |
-| 4756 | 1 | 0.22 % |
-| 4757 | 1 | 0.22 % |
-| 4758 | 1 | 0.22 % |
-| 4727 | 1 | 0.22 % |
-| 4730 | 1 | 0.22 % |
-| 4764 | 1 | 0.22 % |
-| 4794 | 1 | 0.22 % |
-| 4825 | 1 | 0.22 % |
-| 4658 | 1 | 0.22 % |
-| 524 | 1 | 0.22 % |
 
 ## EventProviders occurences in rules
-| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 451) |
+| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 450) |
 | ------- | ------------------------- | ------------------------------------------------------ |
-| Microsoft-Windows-Sysmon | 291 | 64.52 % |
-| Microsoft-Windows-Security-Auditing | 70 | 15.52 % |
-| Microsoft-Windows-PowerShell | 46 | 10.2 % |
-| Kernel-Process | 22 | 4.88 % |
+| Microsoft-Windows-Sysmon | 290 | 64.44 % |
+| Microsoft-Windows-Security-Auditing | 70 | 15.56 % |
+| Microsoft-Windows-PowerShell | 46 | 10.22 % |
+| Kernel-Process | 22 | 4.89 % |
 | Service Control Manager | 11 | 2.44 % |
 | Microsoft-Windows-Windows Defender | 9 | 2.0 % |
 | Microsoft-Windows-Kernel-File | 4 | 0.89 % |
-| Microsoft-Windows-Kernel-Network | 1 | 0.22 % |
-| Microsoft-Windows-Kernel-General | 1 | 0.22 % |
-| Microsoft-Windows-Audit-CVE | 1 | 0.22 % |
-| Microsoft-REDACTED-Security-Auditing | 1 | 0.22 % |
+| ESENT | 1 | 0.22 % |
+| Microsoft-Windows-Backup | 1 | 0.22 % |
 | Microsoft-Windows-NTLM | 1 | 0.22 % |
+| Microsoft-Windows-Kernel-Process | 1 | 0.22 % |
+| Microsoft-REDACTED-Security-Auditing | 1 | 0.22 % |
 | Microsoft-Windows-DHCP-Server | 1 | 0.22 % |
-| Application Error | 1 | 0.22 % |
+| Microsoft-Windows-Kernel-Network | 1 | 0.22 % |
 | Microsoft-Windows-DNS-Client | 1 | 0.22 % |
+| Microsoft-Windows-Audit-CVE | 1 | 0.22 % |
+| Application Error | 1 | 0.22 % |
+| Microsoft-Windows-Kernel-General | 1 | 0.22 % |
 | Microsoft-Windows-Eventlog | 1 | 0.22 % |
-| ESENT | 1 | 0.22 % |
 | Microsoft-Windows-DNS-Server-Service | 1 | 0.22 % |
-| Microsoft-Windows-Kernel-Process | 1 | 0.22 % |
-| Microsoft-Windows-Backup | 1 | 0.22 % |
 
 ## EffortLevel x EventIDs
-| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 451 |
+| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 450 |
 | ------------ | -------- | ----------------------- | ------------------------------------------------------- |
-| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 22, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4726, 4727, 4728, 4729, 4730, 4732, 4743, 4754, 4756, 4757, 4758, 4764, 5007, 5140, 5145, 64, 7, 770, 771, 8001, 98 | 87 | 19.29 % |
-| advanced | 1, 10, 1006, 1007, 1008, 1015, 11, 1116, 1117, 1118, 1119, 1125, 1126, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5136, 5145, 5154, 5156, 6416, 7, 7045, 8 | 111 | 24.61 % |
-| intermediate | 1, 10, 1000, 1031, 1032, 1033, 1034, 11, 1102, 1116, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 47, 4720, 4738, 4741, 4742, 4794, 4799, 4825, 5, 5136, 5145, 517, 524, 6, 7, 7045 | 166 | 36.81 % |
-| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4656, 4663, 4688, 4697, 4704, 4720, 5, 5136, 6, 7, 7045, 8 | 87 | 19.29 % |
\ No newline at end of file
+| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 22, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4726, 4727, 4728, 4729, 4730, 4732, 4743, 4754, 4756, 4757, 4758, 4764, 5007, 5140, 5145, 64, 7, 770, 771, 8001, 98 | 86 | 19.11 % |
+| advanced | 1, 10, 1006, 1007, 1008, 1015, 11, 1116, 1117, 1118, 1119, 1125, 1126, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5136, 5145, 5154, 5156, 6416, 7, 7045, 8 | 111 | 24.67 % |
+| intermediate | 1, 10, 1000, 1031, 1032, 1033, 1034, 11, 1102, 1116, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 47, 4720, 4738, 4741, 4742, 4794, 4799, 4825, 5, 5136, 5145, 517, 524, 6, 7, 7045 | 166 | 36.89 % |
+| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4656, 4663, 4688, 4697, 4704, 4720, 5, 5136, 6, 7, 7045, 8 | 87 | 19.33 % |
\ No newline at end of file