diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
index 6685ba1b0a..6295c035fc 100644
--- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled IE Security Features, Raccine Uninstall, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MavInject Process Injection, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
index a1a7f2404d..c0538d6280 100644
--- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Control Process, Suspicious Rundll32.exe Execution, MavInject Process Injection, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CertOC Loading Dll, Control Panel Items, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Powershell Web Request, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Koadic Execution, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Control Process, MavInject Process Injection, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Equation Group DLL_U Load, Control Panel Items"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Python Offensive Tools and Packages, Koadic Execution, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Opening"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SSH X11 Forwarding, SSH Tunnel Traffic"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File and Directory Permissions Modification"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
index d4cc396d1b..62c7819c6f 100644
--- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
index 34fe63f2a2..772daf2aaa 100644
--- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, WithSecure Elements Critical Severity, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, WithSecure Elements Critical Severity, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Control Process, Suspicious Rundll32.exe Execution, MavInject Process Injection, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CertOC Loading Dll, Control Panel Items, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WithSecure Elements Critical Severity, Phorpiex DriveMgr Command, Powershell Web Request, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Koadic Execution, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Control Process, MavInject Process Injection, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Equation Group DLL_U Load, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation, WithSecure Elements Critical Severity"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, WithSecure Elements Critical Severity, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Python Offensive Tools and Packages, Koadic Execution, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Opening"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, WithSecure Elements Critical Severity"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
index f14f532ba5..fb18a824aa 100644
--- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
index e8824a53e9..1aa60f8053 100644
--- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Defender for Office 365 Alert, Microsoft 365 Defender Alert, Winword Document Droppers, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Suspicious Outlook Child Process, IcedID Execution Using Excel, Microsoft 365 Defender For Endpoint Alert, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Microsoft 365 Defender Cloud App Security Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Microsoft 365 Defender Alert, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, WMIC Uninstall Product, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, Microsoft Defender for Office 365 Alert, PowerShell Download From URL, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Microsoft Office Spawning Script, QakBot Process Creation, Default Encoding To UTF-8 PowerShell, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Sysprep On AppData Folder, Socat Reverse Shell Detection, Microsoft 365 Defender For Endpoint Alert, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft 365 Defender Cloud App Security Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Alert, Microsoft 365 Defender Alert, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Microsoft 365 Defender For Endpoint Alert, Windows Update LolBins, Winword wrong parent, Winrshost Wrong Parent, Suspicious DNS Child Process, PsExec Process, Microsoft 365 Defender Cloud App Security Alert, Wininit Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, DNS Tunnel Technique From MuddyWater, Nimbo-C2 User Agent, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious HWP Child Process, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Control Process, MOFComp Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, xWizard Execution, Equation Group DLL_U Load, MavInject Process Injection, Explorer Process Executing HTA File, CMSTP Execution, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Suspicious DNS Child Process, PsExec Process, Winrshost Wrong Parent, Wininit Wrong Parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, Clear EventLogs Through CommandLine, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, SELinux Disabling, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, SELinux Disabling, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wininit Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent, Winrshost Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wininit Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent, Winrshost Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Elise Backdoor, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Control Process, IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Taskkill Command, MOFComp Execution, xWizard Execution, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Microsoft Defender for Office 365 Alert, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wininit Wrong Parent, PsExec Process, Microsoft 365 Defender For Endpoint Alert, Winrshost Wrong Parent, Windows Update LolBins, Microsoft 365 Defender Alert, Usage Of Sysinternals Tools, Microsoft 365 Defender Cloud App Security Alert, SolarWinds Suspicious File Creation, Winword wrong parent"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Venom Multi-hop Proxy agent detection, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Cmd.exe Command Line, Microsoft Defender for Office 365 Alert, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft 365 Defender For Endpoint Alert, Microsoft 365 Defender Alert, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Microsoft Office Spawning Script, QakBot Process Creation, Python Offensive Tools and Packages, Socat Relaying Socket, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, MalwareBytes Uninstallation, Microsoft 365 Defender Cloud App Security Alert, Interactive Terminal Spawned via Python, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Defender for Office 365 Alert, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft 365 Defender For Endpoint Alert, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Microsoft 365 Defender Alert, Microsoft 365 Defender Cloud App Security Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, SELinux Disabling"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wininit Wrong Parent, PsExec Process, Winrshost Wrong Parent, Usage Of Sysinternals Tools, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Opening"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wininit Wrong Parent, Winrshost Wrong Parent, New Service Creation, Winword wrong parent, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wininit Wrong Parent, Winrshost Wrong Parent, New Service Creation, Winword wrong parent, Explorer Wrong Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, FlowCloud Malware, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Leviathan Registry Key Activity"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
index 6fe3ad465c..2f099a40c5 100644
--- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
index dbf8312a47..2c5b5f9921 100644
--- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Trend Micro Apex One Malware Alert, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Trend Micro Apex One Data Loss Prevention Alert, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Trend Micro Apex One Malware Alert, Usage Of Procdump With Common Arguments, Trend Micro Apex One Data Loss Prevention Alert, PsExec Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Control Process, Suspicious Rundll32.exe Execution, MavInject Process Injection, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CertOC Loading Dll, Control Panel Items, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Powershell Web Request, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Trend Micro Apex One Data Loss Prevention Alert, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Trend Micro Apex One Malware Alert, Sysprep On AppData Folder, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Koadic Execution, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Control Process, MavInject Process Injection, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Equation Group DLL_U Load, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Trend Micro Apex One Data Loss Prevention Alert, Trend Micro Apex One Malware Alert, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Trend Micro Apex One Data Loss Prevention Alert, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Python Offensive Tools and Packages, Koadic Execution, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Lazarus Loaders, Trend Micro Apex One Malware Alert, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Opening"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Trend Micro Apex One Data Loss Prevention Alert, Trend Micro Apex One Malware Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
index 9647b624b0..60297acd90 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Kill Success, Download Files From Suspicious TLDs, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Remediate Success, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Malicious Threat Not Mitigated, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Custom Rule Alert, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR SSO User Added, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Detected (Suspicious)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Kill Success, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Custom Rule Alert, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR SSO User Added, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Detected (Suspicious)"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, SentinelOne EDR User Failed To Log In To The Management Console, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, WMIC Uninstall Product, SentinelOne EDR Threat Detected (Suspicious), Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR User Logged In To The Management Console, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Default Encoding To UTF-8 PowerShell, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Agent Disabled, SentinelOne EDR SSO User Added, Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled IE Security Features, Raccine Uninstall, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Package Manager Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, CMSTP UAC Bypass via COM Object Access, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Cmd.exe Command Line, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Mitigation Report Kill Success, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, SentinelOne EDR User Logged In To The Management Console, Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Agent Disabled, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Detected (Suspicious), Default Encoding To UTF-8 PowerShell, SentinelOne EDR Custom Rule Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR Threat Mitigation Report Quarantine Success, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Lazarus Loaders, WMIC Uninstall Product, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Custom Rule Alert, SolarWinds Wrong Child Process, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Agent Disabled, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Suspicious), Download Files From Suspicious TLDs, SentinelOne EDR SSO User Added, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Agent Disabled, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
index 0c182a6d97..b11fa9383f 100644
--- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
index b168d2f66a..ba726a31ad 100644
--- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Control Process, MOFComp Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, xWizard Execution, Equation Group DLL_U Load, MavInject Process Injection, Explorer Process Executing HTA File, CMSTP Execution, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Suspicious DNS Child Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Winword wrong parent, Suspicious DNS Child Process, PsExec Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Suspicious Outlook Child Process, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, WMIC Uninstall Product, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Spawning Script, QakBot Process Creation, Default Encoding To UTF-8 PowerShell, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Sysprep On AppData Folder, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent, Explorer Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Elise Backdoor, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Control Process, IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Taskkill Command, MOFComp Execution, xWizard Execution, Control Panel Items"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Cmd.exe Command Line, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Microsoft Office Spawning Script, QakBot Process Creation, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Windows Update LolBins, Winword wrong parent"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Opening"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent, Explorer Wrong Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
index 54e691a9f4..1dd51837e5 100644
--- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, Sliver DNS Beaconing"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded, MalwareBytes Uninstallation, Disabled IE Security Features, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MavInject Process Injection, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Venom Multi-hop Proxy agent detection, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation, Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable Workstation Lock, FlowCloud Malware, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json
index 12baf654a2..d29dd942d3 100644
--- a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled IE Security Features, Raccine Uninstall, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MavInject Process Injection, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
index b08e466f89..a55475f7d8 100644
--- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
index 087923f845..a82dd118be 100644
--- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
index 5a6b790c2e..19b369f6dd 100644
--- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
index be7e4aa226..89833968d2 100644
--- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled IE Security Features, Raccine Uninstall, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MavInject Process Injection, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
index 7efc884733..bf7d95a4bb 100644
--- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Control Process, MOFComp Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, xWizard Execution, Equation Group DLL_U Load, MavInject Process Injection, Explorer Process Executing HTA File, CMSTP Execution, CMSTP UAC Bypass via COM Object Access, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity, Logonui Wrong Parent, CrowdStrike Falcon Intrusion Detection, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Userinit Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, CrowdStrike Falcon Intrusion Detection Informational Severity, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, New Service Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, New Service Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, CrowdStrike Falcon Intrusion Detection, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, CrowdStrike Falcon Intrusion Detection Informational Severity, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Low Severity, Exploit For CVE-2015-1641, CrowdStrike Falcon Intrusion Detection High Severity, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, CrowdStrike Falcon Intrusion Detection Low Severity, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, Powershell Web Request, CrowdStrike Falcon Intrusion Detection, PowerShell Malicious Nishang PowerShell Commandlets, WMIC Uninstall Product, Trickbot Malware Activity, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, CrowdStrike Falcon Intrusion Detection High Severity, Microsoft Office Spawning Script, QakBot Process Creation, Default Encoding To UTF-8 PowerShell, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, Sysprep On AppData Folder, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, CrowdStrike Falcon Intrusion Detection Informational Severity, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Control Process, IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Taskkill Command, MOFComp Execution, xWizard Execution, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, SolarWinds Suspicious File Creation, CrowdStrike Falcon Intrusion Detection, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection Low Severity, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Winrshost Wrong Parent, Csrss Wrong Parent, CrowdStrike Falcon Intrusion Detection Critical Severity, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Trickbot Malware Activity, CrowdStrike Falcon Intrusion Detection Informational Severity, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, CrowdStrike Falcon Intrusion Detection, Suspicious Cmd.exe Command Line, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection High Severity, QakBot Process Creation, Python Offensive Tools and Packages, CrowdStrike Falcon Intrusion Detection Low Severity, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, CrowdStrike Falcon Intrusion Detection Medium Severity, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, CrowdStrike Falcon Intrusion Detection Critical Severity, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Medium Severity, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, CrowdStrike Falcon Intrusion Detection Informational Severity, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection High Severity, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Low Severity, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Intrusion Detection"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
index 3fdeeb3d99..165edac5ae 100644
--- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
index 00f721f6d6..ede3b58305 100644
--- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Python HTTP Server, Suspicious LDAP-Attributes Used, Suspicious Windows DNS Queries, Sliver DNS Beaconing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Gpscript Suspicious Parent, Malicious Service Installations, APT29 Fake Google Update Service Install, Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, StoneDrill Service Install, Chafer (APT 39) Activity, New Service Creation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Cobalt Strike Default Service Creation Usage, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Gpscript Suspicious Parent, Malicious Service Installations, APT29 Fake Google Update Service Install, Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, StoneDrill Service Install, Chafer (APT 39) Activity, New Service Creation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Cobalt Strike Default Service Creation Usage, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Metasploit PSExec Service Creation, Gpscript Suspicious Parent, Malicious Service Installations, Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, Suspicious PsExec Execution, Smbexec.py Service Installation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Credential Dumping Tools Service Execution, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Metasploit PSExec Service Creation, Gpscript Suspicious Parent, Malicious Service Installations, Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, Suspicious PsExec Execution, Smbexec.py Service Installation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Rare Lsass Child Found, OneNote Suspicious Children Process, Credential Dumping Tools Service Execution, Windows Update LolBins, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Ryuk Ransomware Persistence Registry Key, Suspicious desktop.ini Action, Autorun Keys Modification, Kernel Module Alteration, DLL Load via LSASS Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Admin Share Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage, MMC Spawning Windows Shell, RDP Login From Localhost, RDP Port Change Using Powershell, MMC20 Lateral Movement, Protected Storage Service Access, Lsass Access Through WinRM, Denied Access To Remote Desktop, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Admin Share Access"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Werfault DLL Injection, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Exclusion Configuration, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Windows Defender Deactivation Using PowerShell Script, Suspicious Driver Loaded, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Disable Windows Defender Credential Guard, Raccine Uninstall, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Disable Security Events Logging Adding Reg Key MiniNt, TrustedInstaller Impersonation, Ryuk Ransomware Command Line, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Exclusion Configuration, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Windows Defender Deactivation Using PowerShell Script, Suspicious Driver Loaded, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Disable Windows Defender Credential Guard, Raccine Uninstall, Netsh Allow Command, Microsoft Malware Protection Engine Crash, Powershell AMSI Bypass, Clear EventLogs Through CommandLine, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspect Svchost Memory Access, Microsoft Defender Antivirus Tampering Detected, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable SecurityHealth, Python Opening Ports, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Control Process, MOFComp Execution, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Control Panel Items, xWizard Execution, Equation Group DLL_U Load, Dynwrapx Module Loading, MavInject Process Injection, Explorer Process Executing HTA File, CMSTP Execution, CMSTP UAC Bypass via COM Object Access, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Invoke Expression With Registry, FromBase64String Command Line, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, PowerShell Credential Prompt, Powershell Web Request, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Alternate PowerShell Hosts Pipe, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, WMImplant Hack Tool, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Download From URL, PowerShell - NTFS Alternate Data Stream, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Turla Named Pipes, In-memory PowerShell, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Detection of default Mimikatz banner"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Invoke Expression With Registry, FromBase64String Command Line, Lazarus Loaders, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, PowerShell Credential Prompt, Phorpiex DriveMgr Command, Powershell Web Request, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, WMIC Uninstall Product, Trickbot Malware Activity, Suspicious Windows Script Execution, Alternate PowerShell Hosts Pipe, WMI DLL Loaded Via Office, Elise Backdoor, Suspicious Scripting In A WMI Consumer, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Generic, Malspam Execution Registering Malicious DLL, PowerShell EncodedCommand, Microsoft Defender Antivirus Threat Detected, MalwareBytes Uninstallation, WMImplant Hack Tool, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, PowerShell - NTFS Alternate Data Stream, Venom Multi-hop Proxy agent detection, Microsoft Office Spawning Script, QakBot Process Creation, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious DLL Loaded Via Office Applications, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious PowerShell Commandlets, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, Sysprep On AppData Folder, Turla Named Pipes, In-memory PowerShell, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Detection of default Mimikatz banner"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Audit CVE Event, Suspicious HWP Child Process, Antivirus Exploitation Framework Detection, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Antivirus Password Dumper Detection"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Malspam Execution Registering Malicious DLL, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, Suspicious Outlook Child Process, IcedID Execution Using Excel"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Creation or Modification of a GPO Scheduled Task, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Powershell AMSI Bypass, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Python Opening Ports, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, LSASS Access From Non System Account, HackTools Suspicious Process Names, Malicious Service Installations, Mimikatz Basic Commands, NTDS.dit File Interaction Through Command Line, Dumpert LSASS Process Dumper, DCSync Attack, HackTools Suspicious Process Names In Command Line, Transfering Files With Credential Data Via Network Shares, LSASS Memory Dump, NTDS.dit File In Suspicious Directory, Lsass Access Through WinRM, Active Directory Replication from Non Machine Account, Impacket Secretsdump.py Tool, Unsigned Image Loaded Into LSASS Process, Windows Credential Editor Registry Key, SAM Registry Hive Handle Request, LSASS Memory Dump File Creation, NetNTLM Downgrade Attack, Rubeus Tool Command-line, Credential Dumping By LaZagne, Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil, WCE wceaux.dll Creation, Password Dumper Activity On LSASS, Load Of dbghelp/dbgcore DLL From Suspicious Process, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, Copying Browser Files With Credentials, Mimikatz LSASS Memory Access, RedMimicry Winnti Playbook Dropped File, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Active Directory Replication User Backdoor, User Added to Local Administrators, Password Change On Directory Service Restore Mode (DSRM) Account, Privileged AD Builtin Group Modified, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Active Directory Delegate To KRBTGT Service, Active Directory User Backdoors"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Dynwrapx Module Loading"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, CreateRemoteThread Common Process Injection, Taskhostw Wrong Parent, Process Hollowing Detection, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Dynwrapx Module Loading, Process Herpaderping, MavInject Process Injection, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Malicious Named Pipe, Taskhost Wrong Parent, Cobalt Strike Named Pipes, Searchprotocolhost Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command, Suspicious Mshta Execution"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, WMI Event Subscription, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, User Added to Local Administrators, Account Removed From A Security Enabled Group, Denied Access To Remote Desktop, Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Password Dumper Activity On LSASS, Credential Dumping By LaZagne, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cred Dump Tools Dropped Files, LSASS Access From Non System Account, Credential Dumping-Tools Common Named Pipes, Lsass Access Through WinRM, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution, Unsigned Image Loaded Into LSASS Process, Dumpert LSASS Process Dumper, Windows Credential Editor Registry Key, Mimikatz LSASS Memory Access, LSASS Memory Dump File Creation, LSASS Memory Dump"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection, Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, AD Object WriteDAC Access"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt, Rubeus Tool Command-line, Abusing Azure Browser SSO"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Antivirus Web Shell Detection, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Antivirus Web Shell Detection, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, WMI DLL Loaded Via Office, Blue Mockingbird Malware, Wmic Process Call Creation, Invoke-TheHash Commandlets, Wmic Service Call, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Suspicious New Printer Ports In Registry, Disable Security Events Logging Adding Reg Key MiniNt, RDP Port Change Using Powershell, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, Disable Workstation Lock, Suspicious Desktopimgdownldr Execution, OceanLotus Registry Activity, Remote Registry Management Using Reg Utility, Disable .NET ETW Through COMPlus_ETWEnabled, FlowCloud Malware, NetNTLM Downgrade Attack, Ursnif Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cred Dump Tools Dropped Files, NTDS.dit File Interaction Through Command Line, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, PowerView commandlets 2, AD User Enumeration"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Phosphorus Domain Controller Discovery, PowerView commandlets 1, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, PowerView commandlets 2, Trickbot Malware Activity"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, Svchost DLL Search Order Hijack, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, SSH Tunnel Traffic, SSH X11 Forwarding, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 2, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing, Remote Registry Management Using Reg Utility, SysKey Registry Keys Access"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event, CVE-2019-0708 Scan"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Defender Deactivation Using PowerShell Script, Windows Firewall Changes, Microsoft Defender Antivirus Disable Services, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Tampering Detected, Netsh Port Opening, Disable Windows Defender Credential Guard, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspect Svchost Memory Access, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, NetNTLM Downgrade Attack, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Ryuk Ransomware Command Line, MalwareBytes Uninstallation, Python Opening Ports, TrustedInstaller Impersonation, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable Services, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening, Disable Windows Defender Credential Guard, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, NetNTLM Downgrade Attack, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Ryuk Ransomware Command Line, MalwareBytes Uninstallation, TrustedInstaller Impersonation, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Suspicious HWP Child Process, Antivirus Password Dumper Detection, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641, Audit CVE Event"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Dynwrapx Module Loading, CMSTP UAC Bypass via COM Object Access, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Control Process, IcedID Execution Using Excel, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Taskkill Command, Suspicious Desktopimgdownldr Execution, MOFComp Execution, xWizard Execution, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smbexec.py Service Installation, Wsmprovhost Wrong Parent, SolarWinds Suspicious File Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Credential Dumping Tools Service Execution, Csrss Child Found, Metasploit PSExec Service Creation, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Usage Of Sysinternals Tools, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Lsass Child Found, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Winrshost Wrong Parent, Suspicious PsExec Execution, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Python Opening Ports"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Credential Dumping By LaZagne, Process Memory Dump Using Rdrleakdiag, Unsigned Image Loaded Into LSASS Process, Password Dumper Activity On LSASS, LSASS Memory Dump File Creation, Dumpert LSASS Process Dumper, LSASS Memory Dump, Cred Dump Tools Dropped Files, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Access From Non System Account, Mimikatz LSASS Memory Access, Credential Dumping Tools Service Execution, Lsass Access Through WinRM, Credential Dumping-Tools Common Named Pipes, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Copying Browser Files With Credentials, Password Dumper Activity On LSASS, Load Of dbghelp/dbgcore DLL From Suspicious Process, Dumpert LSASS Process Dumper, LSASS Memory Dump, Cred Dump Tools Dropped Files, Suspicious SAM Dump, LSASS Access From Non System Account, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, Wdigest Enable UseLogonCredential, Mimikatz LSASS Memory Access, Process Memory Dump Using Createdump, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Copying Sensitive Files With Credential Data, RedMimicry Winnti Playbook Dropped File, Active Directory Replication from Non Machine Account, Process Memory Dump Using Comsvcs, Credential Dumping Tools Service Execution, Credential Dumping By LaZagne, Malicious Service Installations, HackTools Suspicious Process Names In Command Line, LSASS Memory Dump File Creation, DCSync Attack, WCE wceaux.dll Creation, HackTools Suspicious Process Names, Windows Credential Editor Registry Key, Active Directory Database Dump Via Ntdsutil, Unsigned Image Loaded Into LSASS Process, Mimikatz Basic Commands, Transfering Files With Credential Data Via Network Shares, NetNTLM Downgrade Attack, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Lsass Access Through WinRM, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Protected Storage Service Access, RDP Login From Localhost, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Cobalt Strike Default Service Creation Usage, MMC Spawning Windows Shell, RDP Port Change Using Powershell, Denied Access To Remote Desktop, Smbexec.py Service Installation, Lateral Movement - Remote Named Pipe, Lsass Access Through WinRM, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Mustang Panda Dropper, Koadic Execution, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Trickbot Malware Activity, PowerShell Credential Prompt, WMI DLL Loaded Via Office, Turla Named Pipes, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Venom Multi-hop Proxy agent detection, Mustang Panda Dropper, Suspicious Scripting In A WMI Consumer, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious Cmd.exe Command Line, Alternate PowerShell Hosts Pipe, In-memory PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, Suspicious DLL Loaded Via Office Applications, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Microsoft Defender Antivirus Threat Detected, QakBot Process Creation, Koadic Execution, PowerShell Malicious PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, FromBase64String Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMImplant Hack Tool, MalwareBytes Uninstallation, Detection of default Mimikatz banner, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Adexplorer Usage, Remote Registry Management Using Reg Utility, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Credential Prompt, Turla Named Pipes, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Alternate PowerShell Hosts Pipe, In-memory PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, FromBase64String Command Line, WMImplant Hack Tool, Detection of default Mimikatz banner"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, GPO Executable Delivery, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, HarfangLab EDR Hlai Engine Detection, Explorer Process Executing HTA File, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, HarfangLab EDR Hlai Engine Detection, Explorer Process Executing HTA File, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan, Audit CVE Event"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, Svchost Wrong Parent, Process Herpaderping, Process Hollowing Detection, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Malicious Named Pipe, Wsmprovhost Wrong Parent, Cobalt Strike Named Pipes, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files, Suspicious SAM Dump, RedMimicry Winnti Playbook Dropped File, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, Cred Dump Tools Dropped Files, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Suspicious LDAP-Attributes Used, Python HTTP Server, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, Suspicious desktop.ini Action, Narrator Feedback-Hub Persistence, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, AD Object WriteDAC Access, File Or Folder Permissions Modifications"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Invoke-TheHash Commandlets, WMIC Uninstall Product, WMI DLL Loaded Via Office, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMImplant Hack Tool, WMI Install Of Binary"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, Suspicious Windows Script Execution, WMI DLL Loaded Via Office, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Koadic Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, APT29 Fake Google Update Service Install, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, New Service Creation, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Chafer (APT 39) Activity, Malicious Service Installations, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, APT29 Fake Google Update Service Install, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, New Service Creation, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Chafer (APT 39) Activity, Malicious Service Installations, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smbexec.py Service Installation, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Credential Dumping Tools Service Execution, Csrss Child Found, Metasploit PSExec Service Creation, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Sysinternals Tools, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Lsass Child Found, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Suspicious PsExec Execution, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Suspicious Netsh DLL Persistence, Suspicious Scripting In A WMI Consumer, WMI Event Subscription, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Secure Deletion With SDelete, Microsoft Defender Antivirus Tampering Detected, Eventlog Cleared"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, GitLab CVE-2021-22205, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Schtasks Suspicious Parent"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder, Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, RTLO Character, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Explorer Wrong Parent"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Admin Share Access, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Lateral Movement - Remote Named Pipe"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, Secure Deletion With SDelete, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, PowerCat Function Loading"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, Suspicious DLL side loading from ProgramData, Svchost DLL Search Order Hijack, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Werfault DLL Injection, Suspicious DLL side loading from ProgramData, Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SSH X11 Forwarding, Venom Multi-hop Proxy agent detection, SSH Tunnel Traffic"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Mimikatz Basic Commands, Privileged AD Builtin Group Modified, User Added to Local Administrators, Active Directory Delegate To KRBTGT Service, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory User Backdoors, Active Directory Replication User Backdoor"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, AD User Enumeration, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, PowerView commandlets 2, SCM Database Privileged Operation"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Chafer (APT 39) Activity, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable Workstation Lock, FlowCloud Malware, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, Disable Security Events Logging Adding Reg Key MiniNt, RDP Port Change Using Powershell, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added to Local Administrators, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Denied Access To Remote Desktop, RDP Login From Localhost"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, DCSync Attack"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
index c6dcc55a2f..aa32a73ee7 100644
--- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
index c1502913e1..daf165aea2 100644
--- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Suspicious Windows DNS Queries, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Control Process, MOFComp Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, xWizard Execution, Equation Group DLL_U Load, MavInject Process Injection, Explorer Process Executing HTA File, CMSTP Execution, CMSTP UAC Bypass via COM Object Access, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Rare Lsass Child Found, OneNote Suspicious Children Process, Windows Update LolBins, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, New Service Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, New Service Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Suspicious desktop.ini Action, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Leviathan Registry Key Activity"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Audit CVE Event, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, WMIC Uninstall Product, Trickbot Malware Activity, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Threat Detected, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, QakBot Process Creation, Default Encoding To UTF-8 PowerShell, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, Sysprep On AppData Folder, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Tampering Detected, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Control Process, IcedID Execution Using Excel, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Taskkill Command, MOFComp Execution, xWizard Execution, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Usage Of Sysinternals Tools, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Tampering Detected, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Trickbot Malware Activity, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Cmd.exe Command Line, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Microsoft Office Spawning Script, QakBot Process Creation, Microsoft Defender Antivirus Threat Detected, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Usage Of Sysinternals Tools, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Koadic Execution, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Audit CVE Event, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, FlowCloud Malware, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, Suspicious desktop.ini Action, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
index 676c320dc3..c721dac823 100644
--- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware ESXi [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Python HTTP Server, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled IE Security Features, Raccine Uninstall, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MavInject Process Injection, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware ESXi [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Python HTTP Server, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
index d8d7227b7f..d6bd83fade 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ESA [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ESA [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
index 5bd9b26416..6e465336c5 100644
--- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
index a3eeeb193c..fd02b50d19 100644
--- a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenLDAP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenLDAP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
index a01c451ba8..5c48fd7989 100644
--- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Python HTTP Server, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Python HTTP Server, Sliver DNS Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Control Process, MOFComp Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, xWizard Execution, Equation Group DLL_U Load, MavInject Process Injection, Explorer Process Executing HTA File, CMSTP Execution, CMSTP UAC Bypass via COM Object Access, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Rare Lsass Child Found, OneNote Suspicious Children Process, Windows Update LolBins, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, New Service Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, New Service Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Suspicious desktop.ini Action, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Leviathan Registry Key Activity"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Hlai Engine Detection, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, HarfangLab EDR Process Execution Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Explorer Process Executing HTA File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, Suspicious Outlook Child Process, IcedID Execution Using Excel"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, WMIC Uninstall Product, Trickbot Malware Activity, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Threat Detected, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, QakBot Process Creation, Default Encoding To UTF-8 PowerShell, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, Sysprep On AppData Folder, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Tampering Detected, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, HackTools Suspicious Process Names, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Createdump, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Control Process, IcedID Execution Using Excel, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Taskkill Command, MOFComp Execution, xWizard Execution, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Usage Of Sysinternals Tools, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Tampering Detected, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Trickbot Malware Activity, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Cmd.exe Command Line, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Microsoft Office Spawning Script, QakBot Process Creation, Microsoft Defender Antivirus Threat Detected, Python Offensive Tools and Packages, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Process Execution Blocked, Exploit For CVE-2015-1641, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Hlai Engine Detection, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, HackTools Suspicious Process Names"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Usage Of Sysinternals Tools, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Koadic Execution, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Cron Files Alteration, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable Workstation Lock, FlowCloud Malware, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, Suspicious desktop.ini Action, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
index 9c6113eac0..dd03e53501 100644
--- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
index 8c0b5b639d..9ee47dee77 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR CorePUA Clean, Sophos EDR CorePUA Detection, Download Files From Suspicious TLDs, Sophos EDR Application Blocked"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Sophos EDR CorePUA Detection, Sophos EDR Application Detected, Sophos EDR Application Blocked, Sophos EDR CorePUA Clean"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
index 1bf03499ee..c9ac5ea162 100644
--- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
index 66fd665f25..3cc3f45870 100644
--- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Sliver DNS Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious HWP Child Process, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Download Files From Suspicious TLDs, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, New Service Creation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, New Service Creation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Windows Update LolBins, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Control Process, MOFComp Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, xWizard Execution, Equation Group DLL_U Load, MavInject Process Injection, Explorer Process Executing HTA File, CMSTP Execution, CMSTP UAC Bypass via COM Object Access, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Leviathan Registry Key Activity"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, WMIC Uninstall Product, Trickbot Malware Activity, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Spawning Script, QakBot Process Creation, Default Encoding To UTF-8 PowerShell, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, Sysprep On AppData Folder, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Control Process, IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Taskkill Command, MOFComp Execution, xWizard Execution, Control Panel Items"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Trickbot Malware Activity, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Cmd.exe Command Line, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Microsoft Office Spawning Script, QakBot Process Creation, Python Offensive Tools and Packages, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Load Of dbghelp/dbgcore DLL From Suspicious Process, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Usage Of Sysinternals Tools, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Usage Of Sysinternals Tools, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Cron Files Alteration, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, FlowCloud Malware, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
index 4b0aaccd2b..ac31ef9339 100644
--- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Cleaned, Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Blocked"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder, Venom Multi-hop Proxy agent detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Cleaned"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
index 49786d21cd..60af8d3ee5 100644
--- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
index d9bc888963..cf04c94253 100644
--- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
index 871b0069d9..c4aa68c34f 100644
--- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Sliver DNS Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, LokiBot Default C2 URL, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
index a12c968e64..b04f0b73c3 100644
--- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cato Networks SASE [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
index 838a4df6fb..0f112af965 100644
--- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Spam But Allowed, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Proofpoint TAP Email Classified As Malware But Allowed, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Spam But Allowed, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
index f77495c788..fcafac57ff 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
index 649b2da485..4acae02bfd 100644
--- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (Sandboxing), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
index 82ab187cb7..385583281b 100644
--- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
index 7d1ce09c55..8377a56143 100644
--- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
index 0acb1400c6..ea77bcd07a 100644
--- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
index 1f50f98439..1e559af66d 100644
--- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco NX-OS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Control Process, Suspicious Rundll32.exe Execution, MavInject Process Injection, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CertOC Loading Dll, Control Panel Items, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Powershell Web Request, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Socat Reverse Shell Detection, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, SELinux Disabling, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, SELinux Disabling, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Koadic Execution, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Control Process, MavInject Process Injection, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Equation Group DLL_U Load, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Socat Reverse Shell Detection, Suspicious PowerShell Invocations - Specific, Venom Multi-hop Proxy agent detection, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Python Offensive Tools and Packages, Socat Relaying Socket, Koadic Execution, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, MalwareBytes Uninstallation, Interactive Terminal Spawned via Python, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, SELinux Disabling"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Opening"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
new file mode 100644
index 0000000000..63a2adf60a
--- /dev/null
+++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
@@ -0,0 +1 @@
+{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, WMIC Uninstall Product, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
index dd6c3d8fef..d071154d0f 100644
--- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Secure Mobile Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Secure Mobile Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
index 2676f55628..165f7799a2 100644
--- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
index 1ba16ba991..fe62b66735 100644
--- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled IE Security Features, Raccine Uninstall, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MavInject Process Injection, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Debugging Software Deactivation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
index 2aa4b8a081..11500fd7b3 100644
--- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
index 9b1d0a304b..aa9c955df1 100644
--- a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
index 996ddd9067..81583cb8f2 100644
--- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
index eeb3379ab1..37891ab9a0 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
index 50929e9b34..12bab25bdd 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Varonis Data Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Varonis Data Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
index d90afb7f3f..9c37af6329 100644
--- a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
index 4b67d01bea..4df1b72abb 100644
--- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub New Organization Member"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub New Organization Member"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
index 575c57f915..f1abfa8958 100644
--- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
index 033263a580..55f14fdecc 100644
--- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
index 6b6938561c..27f64b1bca 100644
--- a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json
index 21391663d8..cb8cdcbb7a 100644
--- a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Sliver DNS Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious HWP Child Process, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Suspicious Outlook Child Process, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, New Service Creation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, New Service Creation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Suspicious File Creation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Windows Update LolBins, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Control Process, MOFComp Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, xWizard Execution, Equation Group DLL_U Load, MavInject Process Injection, Explorer Process Executing HTA File, CMSTP Execution, CMSTP UAC Bypass via COM Object Access, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, WMIC Uninstall Product, Trickbot Malware Activity, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, QakBot Process Creation, Default Encoding To UTF-8 PowerShell, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, Sysprep On AppData Folder, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Control Process, IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Taskkill Command, MOFComp Execution, xWizard Execution, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Trickbot Malware Activity, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Cmd.exe Command Line, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Microsoft Office Spawning Script, QakBot Process Creation, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Load Of dbghelp/dbgcore DLL From Suspicious Process, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Koadic Execution, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
index ebdf29fa04..0eea663418 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, TEHTRIS EDR Alert, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Control Process, Suspicious Rundll32.exe Execution, MavInject Process Injection, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CertOC Loading Dll, Control Panel Items, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, TEHTRIS EDR Alert, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Powershell Web Request, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Koadic Execution, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Control Process, MavInject Process Injection, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Equation Group DLL_U Load, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation, TEHTRIS EDR Alert"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, TEHTRIS EDR Alert, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Koadic Execution, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Opening"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, TEHTRIS EDR Alert, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
index f43ea7d909..cf04290659 100644
--- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
index 899dea1f29..c96df692d2 100644
--- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Python HTTP Server, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Nimbo-C2 User Agent, Python HTTP Server, Suspicious LDAP-Attributes Used, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Koadic MSHTML Command, Sliver DNS Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious HWP Child Process, Suspicious Outlook Child Process, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Audit CVE Event, Download Files From Suspicious TLDs, Suspicious HWP Child Process, Antivirus Exploitation Framework Detection, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Antivirus Password Dumper Detection, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Hlai Engine Detection, Download Files From Non-Legitimate TLDs, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Malspam Execution Registering Malicious DLL, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, Suspicious Outlook Child Process, IcedID Execution Using Excel"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Hlai Engine Detection, Download Files From Non-Legitimate TLDs, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, IcedID Execution Using Excel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Antivirus Web Shell Detection, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Antivirus Web Shell Detection, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Possible Malicious File Double Extension, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Suspicious TOR Gateway, Netsh Port Forwarding"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Gpscript Suspicious Parent, Malicious Service Installations, APT29 Fake Google Update Service Install, Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, StoneDrill Service Install, Chafer (APT 39) Activity, New Service Creation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Cobalt Strike Default Service Creation Usage, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Gpscript Suspicious Parent, Malicious Service Installations, APT29 Fake Google Update Service Install, Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, StoneDrill Service Install, Chafer (APT 39) Activity, New Service Creation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Cobalt Strike Default Service Creation Usage, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Metasploit PSExec Service Creation, Gpscript Suspicious Parent, Malicious Service Installations, Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, Suspicious PsExec Execution, Smbexec.py Service Installation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Credential Dumping Tools Service Execution, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Metasploit PSExec Service Creation, Gpscript Suspicious Parent, Malicious Service Installations, Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, Suspicious PsExec Execution, Smbexec.py Service Installation, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Rare Lsass Child Found, OneNote Suspicious Children Process, Credential Dumping Tools Service Execution, Windows Update LolBins, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Ryuk Ransomware Persistence Registry Key, Suspicious desktop.ini Action, Autorun Keys Modification, Kernel Module Alteration, DLL Load via LSASS Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Admin Share Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage, MMC Spawning Windows Shell, RDP Login From Localhost, RDP Port Change Using Powershell, MMC20 Lateral Movement, Protected Storage Service Access, Lsass Access Through WinRM, Denied Access To Remote Desktop, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Admin Share Access"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Werfault DLL Injection, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, Svchost DLL Search Order Hijack, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Exclusion Configuration, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Windows Defender Deactivation Using PowerShell Script, Suspicious Driver Loaded, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Disable Windows Defender Credential Guard, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Disable Security Events Logging Adding Reg Key MiniNt, TrustedInstaller Impersonation, Ryuk Ransomware Command Line, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Exclusion Configuration, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Windows Defender Deactivation Using PowerShell Script, Suspicious Driver Loaded, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Disable Windows Defender Credential Guard, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Microsoft Malware Protection Engine Crash, Powershell AMSI Bypass, Clear EventLogs Through CommandLine, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspect Svchost Memory Access, Microsoft Defender Antivirus Tampering Detected, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable SecurityHealth, Python Opening Ports, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Control Process, MOFComp Execution, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Control Panel Items, xWizard Execution, Equation Group DLL_U Load, Dynwrapx Module Loading, MavInject Process Injection, Explorer Process Executing HTA File, CMSTP Execution, CMSTP UAC Bypass via COM Object Access, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Invoke Expression With Registry, FromBase64String Command Line, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, PowerShell Credential Prompt, Powershell Web Request, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Alternate PowerShell Hosts Pipe, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, WMImplant Hack Tool, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Download From URL, PowerShell - NTFS Alternate Data Stream, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Turla Named Pipes, In-memory PowerShell, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Detection of default Mimikatz banner"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Invoke Expression With Registry, FromBase64String Command Line, Lazarus Loaders, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, PowerShell Credential Prompt, Phorpiex DriveMgr Command, Powershell Web Request, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, WMIC Uninstall Product, Trickbot Malware Activity, Suspicious Windows Script Execution, Alternate PowerShell Hosts Pipe, WMI DLL Loaded Via Office, Elise Backdoor, Suspicious Scripting In A WMI Consumer, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Generic, Malspam Execution Registering Malicious DLL, PowerShell EncodedCommand, Microsoft Defender Antivirus Threat Detected, MalwareBytes Uninstallation, WMImplant Hack Tool, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, PowerShell - NTFS Alternate Data Stream, Venom Multi-hop Proxy agent detection, Microsoft Office Spawning Script, QakBot Process Creation, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious DLL Loaded Via Office Applications, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious PowerShell Commandlets, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, Sysprep On AppData Folder, Turla Named Pipes, In-memory PowerShell, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Detection of default Mimikatz banner"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Creation or Modification of a GPO Scheduled Task, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Powershell AMSI Bypass, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Python Opening Ports, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Erase Shell History, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, LSASS Access From Non System Account, HackTools Suspicious Process Names, Malicious Service Installations, Mimikatz Basic Commands, NTDS.dit File Interaction Through Command Line, Dumpert LSASS Process Dumper, DCSync Attack, HackTools Suspicious Process Names In Command Line, Transfering Files With Credential Data Via Network Shares, LSASS Memory Dump, NTDS.dit File In Suspicious Directory, Lsass Access Through WinRM, Active Directory Replication from Non Machine Account, Impacket Secretsdump.py Tool, Unsigned Image Loaded Into LSASS Process, Windows Credential Editor Registry Key, SAM Registry Hive Handle Request, LSASS Memory Dump File Creation, NetNTLM Downgrade Attack, Rubeus Tool Command-line, Credential Dumping By LaZagne, Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Process Trace Alteration, Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil, WCE wceaux.dll Creation, Password Dumper Activity On LSASS, Load Of dbghelp/dbgcore DLL From Suspicious Process, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, Copying Browser Files With Credentials, Mimikatz LSASS Memory Access, RedMimicry Winnti Playbook Dropped File, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Active Directory Replication User Backdoor, Add User to Privileged Group, User Added to Local Administrators, Password Change On Directory Service Restore Mode (DSRM) Account, Privileged AD Builtin Group Modified, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Active Directory Delegate To KRBTGT Service, Active Directory User Backdoors"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Dynwrapx Module Loading"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Taskhost Wrong Parent, CreateRemoteThread Common Process Injection, Process Herpaderping, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Dynwrapx Module Loading, MavInject Process Injection, Cobalt Strike Named Pipes, Explorer Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Process Hollowing Detection, Svchost Wrong Parent, Malicious Named Pipe"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command, Suspicious Mshta Execution"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, WMI Event Subscription, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, User Added to Local Administrators, Account Removed From A Security Enabled Group, Denied Access To Remote Desktop, Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Password Dumper Activity On LSASS, Credential Dumping By LaZagne, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cred Dump Tools Dropped Files, LSASS Access From Non System Account, Credential Dumping-Tools Common Named Pipes, Lsass Access Through WinRM, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution, Unsigned Image Loaded Into LSASS Process, Dumpert LSASS Process Dumper, Windows Credential Editor Registry Key, Mimikatz LSASS Memory Access, LSASS Memory Dump File Creation, LSASS Memory Dump"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection, Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, AD Object WriteDAC Access"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt, Rubeus Tool Command-line, Abusing Azure Browser SSO"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, WMI DLL Loaded Via Office, Blue Mockingbird Malware, Wmic Process Call Creation, Invoke-TheHash Commandlets, Wmic Service Call, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Suspicious New Printer Ports In Registry, Disable Security Events Logging Adding Reg Key MiniNt, RDP Port Change Using Powershell, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, Disable Workstation Lock, Suspicious Desktopimgdownldr Execution, OceanLotus Registry Activity, Remote Registry Management Using Reg Utility, Disable .NET ETW Through COMPlus_ETWEnabled, FlowCloud Malware, NetNTLM Downgrade Attack, Ursnif Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Cred Dump Tools Dropped Files, NTDS.dit File Interaction Through Command Line, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, PowerView commandlets 2, AD User Enumeration"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Phosphorus Domain Controller Discovery, PowerView commandlets 1, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, PowerView commandlets 2, Trickbot Malware Activity"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, Svchost DLL Search Order Hijack, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 2, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing, Remote Registry Management Using Reg Utility, SysKey Registry Keys Access"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event, CVE-2019-0708 Scan"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Suspicious LDAP-Attributes Used, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Defender Deactivation Using PowerShell Script, Windows Firewall Changes, Microsoft Defender Antivirus Disable Services, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Tampering Detected, Fail2ban Unban IP, Netsh Port Opening, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspect Svchost Memory Access, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, NetNTLM Downgrade Attack, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Ryuk Ransomware Command Line, MalwareBytes Uninstallation, Python Opening Ports, TrustedInstaller Impersonation, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable Services, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, NetNTLM Downgrade Attack, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Ryuk Ransomware Command Line, MalwareBytes Uninstallation, TrustedInstaller Impersonation, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution, Suspicious HWP Child Process, Antivirus Password Dumper Detection, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641, Audit CVE Event"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Dynwrapx Module Loading, CMSTP UAC Bypass via COM Object Access, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Control Process, IcedID Execution Using Excel, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Taskkill Command, Suspicious Desktopimgdownldr Execution, MOFComp Execution, xWizard Execution, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smbexec.py Service Installation, Wsmprovhost Wrong Parent, SolarWinds Suspicious File Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Credential Dumping Tools Service Execution, Csrss Child Found, Metasploit PSExec Service Creation, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Usage Of Sysinternals Tools, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Lsass Child Found, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Winrshost Wrong Parent, Suspicious PsExec Execution, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Python Opening Ports"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Credential Dumping By LaZagne, Process Memory Dump Using Rdrleakdiag, Unsigned Image Loaded Into LSASS Process, Password Dumper Activity On LSASS, LSASS Memory Dump File Creation, Dumpert LSASS Process Dumper, LSASS Memory Dump, Cred Dump Tools Dropped Files, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Access From Non System Account, Mimikatz LSASS Memory Access, Credential Dumping Tools Service Execution, Lsass Access Through WinRM, Credential Dumping-Tools Common Named Pipes, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Copying Browser Files With Credentials, Password Dumper Activity On LSASS, Load Of dbghelp/dbgcore DLL From Suspicious Process, Dumpert LSASS Process Dumper, LSASS Memory Dump, Cred Dump Tools Dropped Files, Suspicious SAM Dump, LSASS Access From Non System Account, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, Wdigest Enable UseLogonCredential, Mimikatz LSASS Memory Access, Process Memory Dump Using Createdump, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Copying Sensitive Files With Credential Data, RedMimicry Winnti Playbook Dropped File, Active Directory Replication from Non Machine Account, Process Memory Dump Using Comsvcs, Credential Dumping Tools Service Execution, Credential Dumping By LaZagne, Malicious Service Installations, HackTools Suspicious Process Names In Command Line, LSASS Memory Dump File Creation, DCSync Attack, WCE wceaux.dll Creation, HackTools Suspicious Process Names, Windows Credential Editor Registry Key, Active Directory Database Dump Via Ntdsutil, Unsigned Image Loaded Into LSASS Process, Mimikatz Basic Commands, Transfering Files With Credential Data Via Network Shares, NetNTLM Downgrade Attack, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Lsass Access Through WinRM, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Protected Storage Service Access, RDP Login From Localhost, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Cobalt Strike Default Service Creation Usage, MMC Spawning Windows Shell, RDP Port Change Using Powershell, Denied Access To Remote Desktop, Smbexec.py Service Installation, Lateral Movement - Remote Named Pipe, Lsass Access Through WinRM, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Mustang Panda Dropper, Koadic Execution, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Trickbot Malware Activity, PowerShell Credential Prompt, WMI DLL Loaded Via Office, Turla Named Pipes, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Venom Multi-hop Proxy agent detection, Mustang Panda Dropper, Suspicious Scripting In A WMI Consumer, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious Cmd.exe Command Line, Alternate PowerShell Hosts Pipe, In-memory PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, Suspicious DLL Loaded Via Office Applications, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Microsoft Defender Antivirus Threat Detected, QakBot Process Creation, Koadic Execution, PowerShell Malicious PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, FromBase64String Command Line, Exploiting SetupComplete.cmd CVE-2019-1378, WMImplant Hack Tool, MalwareBytes Uninstallation, Detection of default Mimikatz banner, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, Remote Registry Management Using Reg Utility, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Credential Prompt, Turla Named Pipes, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Alternate PowerShell Hosts Pipe, In-memory PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, FromBase64String Command Line, WMImplant Hack Tool, Detection of default Mimikatz banner"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, GPO Executable Delivery, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, HarfangLab EDR Hlai Engine Detection, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, HarfangLab EDR Hlai Engine Detection, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan, Audit CVE Event"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Dynwrapx Module Loading, Svchost Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, CreateRemoteThread Common Process Injection, Process Herpaderping, Searchindexer Wrong Parent, Malicious Named Pipe, Explorer Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Process Hollowing Detection, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Cobalt Strike Named Pipes"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files, Suspicious SAM Dump, RedMimicry Winnti Playbook Dropped File, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, Cred Dump Tools Dropped Files, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, TUN/TAP Driver Installation"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, Suspicious desktop.ini Action, Narrator Feedback-Hub Persistence, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, AD Object WriteDAC Access, File Or Folder Permissions Modifications"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Invoke-TheHash Commandlets, WMIC Uninstall Product, WMI DLL Loaded Via Office, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMImplant Hack Tool, WMI Install Of Binary"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, Suspicious Windows Script Execution, WMI DLL Loaded Via Office, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Koadic Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, APT29 Fake Google Update Service Install, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, New Service Creation, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Chafer (APT 39) Activity, Malicious Service Installations, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, APT29 Fake Google Update Service Install, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, New Service Creation, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Searchprotocolhost Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Chafer (APT 39) Activity, Malicious Service Installations, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smbexec.py Service Installation, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Credential Dumping Tools Service Execution, Csrss Child Found, Metasploit PSExec Service Creation, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Sysinternals Tools, Dllhost Wrong Parent, Usage Of Procdump With Common Arguments, Rare Lsass Child Found, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Suspicious PsExec Execution, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Change Default File Association, Suspicious Netsh DLL Persistence, Suspicious Scripting In A WMI Consumer, WMI Event Subscription, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Secure Deletion With SDelete, Microsoft Defender Antivirus Tampering Detected, Eventlog Cleared"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, GitLab CVE-2021-22205, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Schtasks Suspicious Parent"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder, Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, RTLO Character, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Explorer Wrong Parent"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Admin Share Access, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Lateral Movement - Remote Named Pipe"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, Secure Deletion With SDelete, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Suspicious Windows DNS Queries, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, PowerCat Function Loading"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, Suspicious DLL side loading from ProgramData, Svchost DLL Search Order Hijack, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Werfault DLL Injection, Suspicious DLL side loading from ProgramData, Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Mimikatz Basic Commands, Privileged AD Builtin Group Modified, User Added to Local Administrators, Active Directory Delegate To KRBTGT Service, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory User Backdoors, Active Directory Replication User Backdoor, Add User to Privileged Group"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, AD User Enumeration, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, PowerView commandlets 2, SCM Database Privileged Operation"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Chafer (APT 39) Activity, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable Workstation Lock, FlowCloud Malware, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, Disable Security Events Logging Adding Reg Key MiniNt, RDP Port Change Using Powershell, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added to Local Administrators, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Denied Access To Remote Desktop, RDP Login From Localhost"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, DCSync Attack"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
index 559c911176..5dec0f77ca 100644
--- a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Darktrace Threat Visualizer [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Alert"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Darktrace Threat Visualizer [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
index 8b8d8930ac..8d9b5a0427 100644
--- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
index 306b47ba40..96166fcce7 100644
--- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Control Process, MOFComp Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, xWizard Execution, Equation Group DLL_U Load, MavInject Process Injection, Explorer Process Executing HTA File, CMSTP Execution, CMSTP UAC Bypass via COM Object Access, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Rare Logonui Child Found, Csrss Child Found, Winword wrong parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Rare Logonui Child Found, Windows Update LolBins, Csrss Child Found, Winword wrong parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, WMIC Uninstall Product, Trickbot Malware Activity, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, QakBot Process Creation, Default Encoding To UTF-8 PowerShell, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, Sysprep On AppData Folder, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Rare Logonui Child Found, Csrss Child Found, New Service Creation, Winword wrong parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Rare Logonui Child Found, Csrss Child Found, New Service Creation, Winword wrong parent, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Control Process, IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Taskkill Command, MOFComp Execution, xWizard Execution, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchprotocolhost Child Found, PsExec Process, Windows Update LolBins, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, Winword wrong parent, Rare Lsass Child Found"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Trickbot Malware Activity, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Cmd.exe Command Line, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Microsoft Office Spawning Script, QakBot Process Creation, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchprotocolhost Child Found, PsExec Process, Usage Of Sysinternals Tools, Csrss Child Found, Winword wrong parent, Rare Lsass Child Found"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Koadic Execution, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Explorer Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, New Service Creation, Winword wrong parent, Rare Lsass Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Explorer Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, New Service Creation, Winword wrong parent, Rare Lsass Child Found"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, FlowCloud Malware, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Kernel Module Alteration, Leviathan Registry Key Activity"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
index e5c6c85715..c9c8ab3a9a 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Cybereason EDR Alert"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Cybereason EDR Alert"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, Cybereason EDR Alert"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Cybereason EDR Alert"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Cybereason EDR Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cybereason EDR Alert, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
index fe779253c5..fbb85a8410 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
index 402ae91f3c..1da576113b 100644
--- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
index fc3d6cc617..09301ee8d8 100644
--- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
index 0fe99a9d58..9aeccf5a2f 100644
--- a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
index f9310e16fd..28395a8416 100644
--- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Control Process, Suspicious Rundll32.exe Execution, MavInject Process Injection, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CertOC Loading Dll, Control Panel Items, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Powershell Web Request, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Koadic Execution, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Control Process, MavInject Process Injection, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Equation Group DLL_U Load, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Python Offensive Tools and Packages, Koadic Execution, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Opening"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
index f2a5cb391e..e682083e57 100644
--- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
new file mode 100644
index 0000000000..0ab521a6ed
--- /dev/null
+++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
@@ -0,0 +1 @@
+{"name": "SEKOIA.IO x Trellix Network Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
index 03bf39e633..10ca772604 100644
--- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
index b96268a26b..af7936bdbc 100644
--- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
index cc7313672b..8ced0aa63e 100644
--- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
index f698691e99..d238eec1cf 100644
--- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Control Process, MOFComp Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, xWizard Execution, Equation Group DLL_U Load, MavInject Process Injection, Explorer Process Executing HTA File, CMSTP Execution, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Winrshost Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Rare Lsass Child Found, OneNote Suspicious Children Process, Windows Update LolBins, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, New Service Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, Winrshost Wrong Parent, New Service Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wininit Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Suspicious desktop.ini Action, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Leviathan Registry Key Activity"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, WMIC Uninstall Product, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Threat Detected, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, QakBot Process Creation, Default Encoding To UTF-8 PowerShell, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Sysprep On AppData Folder, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Microsoft Defender Antivirus Tampering Detected, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, HackTools Suspicious Process Names, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Createdump, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Elise Backdoor, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Control Process, IcedID Execution Using Excel, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Taskkill Command, MOFComp Execution, xWizard Execution, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender Antivirus Threat Detected, Usage Of Sysinternals Tools, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, PowerShell Credential Prompt, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, Suspicious Cmd.exe Command Line, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Microsoft Office Spawning Script, PowerShell EncodedCommand, QakBot Process Creation, Malicious PowerShell Keywords, Microsoft Defender Antivirus Threat Detected, Python Offensive Tools and Packages, Koadic Execution, PowerShell Malicious PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, FromBase64String Command Line, WMImplant Hack Tool, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Generic, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Credential Prompt, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Invoke Expression With Registry, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Malicious PowerShell Keywords, PowerShell Malicious PowerShell Commandlets, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, FromBase64String Command Line, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable Services, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, TrustedInstaller Impersonation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Defender Deactivation Using PowerShell Script, Windows Firewall Changes, Microsoft Defender Antivirus Disable Services, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Tampering Detected, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, TrustedInstaller Impersonation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, HackTools Suspicious Process Names"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Usage Of Sysinternals Tools, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Port Opening"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Koadic Execution, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Chafer (APT 39) Activity, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Chafer (APT 39) Activity, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Taskhostw Wrong Parent, Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Chafer (APT 39) Activity, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, FlowCloud Malware, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Invoke-TheHash Commandlets, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMImplant Hack Tool, WMI Install Of Binary"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, Suspicious desktop.ini Action, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Autorun Keys Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Cron Files Alteration, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Register New Logon Process, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
index d97b3d320f..cb5c407359 100644
--- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
index 11050eb19a..5fc895ddf3 100644
--- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) AtpDetection, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Safelinks Disabled, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Mass Download By A Single User, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) MCAS New Country"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) AtpDetection, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Safelinks Disabled, Download Files From Suspicious TLDs, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Possible Malicious File Double Extension, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) MCAS New Country"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Risky IP, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) AtpDetection, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Repeated Delete"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) AtpDetection, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Repeated Delete"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Microsoft 365 Device Code Authentication, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
index 1fffd7976c..c28bc0d5e1 100644
--- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OGO WAF [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
index 59935e0b25..6f7a210f2b 100644
--- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway Network [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway Network [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
index 8cfcb0512e..534aea0fdc 100644
--- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
index 40a7679cdd..91cad9ab18 100644
--- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Attempt"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Attempt"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Remove Flow logs, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail Disable MFA, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Important Change"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Remove Flow logs, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Important Change"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Change Master Password, AWS CloudTrail RDS Public DB Restore"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Important Change, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Remove Flow logs, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Disable MFA, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Detector Suspended"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Important Change, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Remove Flow logs, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Detector Suspended"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Route 53 Domain Transfer Lock Disabled"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Route 53 Domain Transfer Lock Disabled"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
index 51d82f8ada..2f86b1ac0e 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
index 48b86e436e..1708ffb9b7 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
index e197a5d327..fa54a4196d 100644
--- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
index 49a1aa1cb1..231eec9cc5 100644
--- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json
index 1a8809ca00..d945d22a70 100644
--- a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, OceanLotus Registry Activity, Disable Workstation Lock, FlowCloud Malware, Ursnif Registry Key"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
index 88e3757dd5..d506f1c286 100644
--- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Sliver DNS Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
index 3aa9b441d6..74fe0b48ab 100644
--- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
index f501a53a45..e7ee97ccda 100644
--- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
index 29ab5f7fa9..53d03a75f6 100644
--- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Scam Detected By Vade For M365 And Not Blocked, Spearphishing (CEO Fraud) Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Scam Detected By Vade For M365, Phishing Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Spam Detected By Vade For M365, Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spam Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Malware Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365 And Not Blocked, Scam Detected By Vade For M365"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
index 64d831c621..8c06469e0d 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Account Deactivated, Okta Application deleted, Okta Application modified, Okta User Impersonation Access, Okta Admin Privilege Granted"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta MFA Disabled, Okta Blacklist Manipulations, Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta Network Zone Modified, Okta Security Threat Configuration Updated"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Modified, Okta Network Zone Deleted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Impersonation Access, Okta User Account Deactivated, Okta Application deleted, Okta Application modified, Okta Admin Privilege Granted"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta MFA Disabled, Okta Network Zone Deactivated, Okta Security Threat Configuration Updated, Okta Network Zone Deleted, Okta Network Zone Modified, Okta Blacklist Manipulations"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Modified, Okta Network Zone Deleted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
index 129b2068d8..69be7176a9 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious Control Process, Suspicious Rundll32.exe Execution, MavInject Process Injection, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CertOC Loading Dll, Control Panel Items, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Phorpiex DriveMgr Command, Powershell Web Request, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Creating Suspicious File, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Socat Reverse Shell Detection, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, SELinux Disabling, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, SELinux Disabling, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Koadic Execution, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, WMIC Uninstall Product"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Control Process, MavInject Process Injection, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, Equation Group DLL_U Load, Control Panel Items"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Socat Reverse Shell Detection, Suspicious PowerShell Invocations - Specific, Venom Multi-hop Proxy agent detection, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Python Offensive Tools and Packages, Socat Relaying Socket, Koadic Execution, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, MalwareBytes Uninstallation, Interactive Terminal Spawned via Python, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, SELinux Disabling"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Opening"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
index 61e1206d2a..b3da02c207 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Firewall [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
index 14c99fdfca..98bad2d03e 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
index 7fe5f38b34..a694455759 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21972 VMware vCenter, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
index 2bb971aab8..3010141d9c 100644
--- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-13379 Fortinet Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
index ca0123f74a..061e938823 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x StormShield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious HWP Child Process, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Download Files From Suspicious TLDs, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Control Process, MOFComp Execution, Suspicious DLL Loading By Ordinal, Control Panel Items, xWizard Execution, Equation Group DLL_U Load, MavInject Process Injection, Explorer Process Executing HTA File, CMSTP Execution, CMSTP UAC Bypass via COM Object Access, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Logonui Wrong Parent, Suspicious DNS Child Process, Winlogon wrong parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Windows Update LolBins, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, PsExec Process, Rare Logonui Child Found"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, New Service Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Lsass Wrong Parent, Spoolsv Wrong Parent, Logonui Wrong Parent, Taskhost Wrong Parent, Winlogon wrong parent, New Service Creation, Wsmprovhost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Dllhost Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Wmiprvse Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Csrss Child Found, Svchost Wrong Parent, Winword wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, WMIC Uninstall Product, Trickbot Malware Activity, Suspicious Windows Script Execution, Elise Backdoor, PowerShell Downgrade Attack, Koadic Execution, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, MalwareBytes Uninstallation, PowerShell Download From URL, Microsoft Office Spawning Script, QakBot Process Creation, Default Encoding To UTF-8 PowerShell, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, Sysprep On AppData Folder, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, QakBot Process Creation, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh Allowed Python Program, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Opening"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Leviathan Registry Key Activity"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x StormShield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Control Process, IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, CertOC Loading Dll, Suspicious Mshta Execution, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious Taskkill Command, MOFComp Execution, xWizard Execution, Control Panel Items"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Netsh Allowed Python Program, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Raccine Uninstall, Package Manager Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh RDP Port Forwarding, WMIC Uninstall Product, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Koadic Execution, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Trickbot Malware Activity, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Cmd.exe Command Line, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Microsoft Office Spawning Script, QakBot Process Creation, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Windows Script Execution, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Sysprep On AppData Folder, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Opening Of a Password File, Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Usage Of Sysinternals Tools, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Windows Update LolBins, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, PsExec Process, Csrss Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Usage Of Sysinternals Tools, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Rare Logonui Child Found, Lsass Wrong Parent, Searchprotocolhost Child Found, Searchindexer Wrong Parent, Csrss Child Found, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Dllhost Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Winword wrong parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Cron Files Alteration, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable Workstation Lock, FlowCloud Malware, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
index ce573a996d..d85e72844d 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
@@ -1,23 +1,29 @@
-Changelog _last update on 2023-10-24_
+Changelog _last update on 2023-11-02_
 
 ## Changelog
 
+### Write To File In Systemd
+  - 26/10/2023 - minor - Added filter to reduce false positives.
+    
 ### Domain Trust Discovery Through LDAP
   - 19/10/2023 - minor - improve filter to reduce false positives
     
 ### Denied Access To Remote Desktop
   - 19/10/2023 - minor - Minor change in selection to reduce false positives.
     
+### Suspicious Windows Script Execution
+  - 19/10/2023 - major - Review of the rule to reduce false positives.
+    
 ### Transfering Files With Credential Data Via Network Shares
   - 17/10/2023 - minor - Improve selection to reduce false positives
     
 ### AdFind Usage
   - 12/10/2023 - minor - Slight change to a condition in order to reduce false positives.
     
-### Microsoft 365 (Office 365) Unusual Volume Of File Deletion
+### Microsoft 365 (Office 365) Potential Ransomware Activity Detected
   - 09/10/2023 - major - Fix field names to match the current parser.
     
-### Microsoft 365 (Office 365) Potential Ransomware Activity Detected
+### Microsoft 365 (Office 365) Unusual Volume Of File Deletion
   - 09/10/2023 - major - Fix field names to match the current parser.
     
 ### Microsoft 365 (Office 365) Mass Download By A Single User
@@ -29,86 +35,83 @@ Changelog _last update on 2023-10-24_
 ### PowerView commandlets 2
   - 04/10/2023 - major - Removed an option from the ScriptBlockText selection to reduce false positives.
     
+### UAC Bypass via Event Viewer
+  - 21/09/2023 - minor - Improve filter to reduce false positives
+    
 ### Suspicious Rundll32.exe Execution
   - 21/09/2023 - minor - Extend to some usage without dll filename
     
-### UAC Bypass via Event Viewer
-  - 21/09/2023 - minor - Improve filter to reduce false positives
+### Opening Of a Password File
+  - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Csrss Wrong Parent
+### Spoolsv Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
 ### Winword wrong parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Wsmprovhost Wrong Parent
+### Searchprotocolhost Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Taskhostw Wrong Parent
+### Gpscript Suspicious Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Dllhost Wrong Parent
+### Winrshost Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Logonui Wrong Parent
+### Wmiprvse Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Wininit Wrong Parent
+### Logonui Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Opening Of a Password File
+### Dllhost Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Smss Wrong Parent
+### Lsass Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
 ### Searchindexer Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Svchost Wrong Parent
-  - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
-    
-### Gpscript Suspicious Parent
+### Userinit Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Winrshost Wrong Parent
+### Explorer Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
 ### Winlogon wrong parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Wmiprvse Wrong Parent
+### Taskhostw Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Lsass Wrong Parent
+### Wininit Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Spoolsv Wrong Parent
+### Svchost Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Explorer Wrong Parent
+### Wsmprovhost Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Searchprotocolhost Wrong Parent
+### Smss Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Userinit Wrong Parent
+### Taskhost Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
-### Taskhost Wrong Parent
+### Csrss Wrong Parent
   - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
     
 ### Windows Registry Persistence COM Search Order Hijacking
   - 16/08/2023 - minor - Adding filtering for some FPs
     
-### Suspicious Network Args In Command Line
-  - 10/08/2023 - major - Added a list of suspicious processes to drastically reduce false positives.
-    
 ### MS Office Product Spawning Exe in User Dir
   - 10/08/2023 - minor - Rule modified and filter added to reduce false positives.
     
-### Okta User Logged In Multiple Applications
-  - 07/08/2023 - major - Switching type from event_count to value_count | Adding Target in order to match only on different Apps
+### Suspicious Network Args In Command Line
+  - 10/08/2023 - major - Added a list of suspicious processes to drastically reduce false positives.
     
 ### Microsoft Defender Antivirus Exclusion Configuration
   - 07/08/2023 - major - Considering the amount of false positives the rule effort has been changed to master. Furthermore a filter has been added.
@@ -116,18 +119,21 @@ Changelog _last update on 2023-10-24_
 ### Microsoft Defender Antivirus Tampering Detected
   - 07/08/2023 - minor - Rule effort changed from intermediate to advanced considering the number of false positives observed.
     
+### Okta User Logged In Multiple Applications
+  - 07/08/2023 - major - Switching type from event_count to value_count | Adding Target in order to match only on different Apps
+    
 ### Potential LokiBot User-Agent
   - 04/08/2023 - minor - Added a condition to only match on internal IP as source
     
 ### Suspicious Windows DNS Queries
   - 02/08/2023 - minor - Added a new field and filters to reduce false positives.
     
-### Wmic Process Call Creation
-  - 01/08/2023 - major - Rewritten as a regex to reduce false positives
-    
 ### Account Tampering - Suspicious Failed Logon Reasons
   - 01/08/2023 - minor - Similarity strategy for the rule has changed and is now based on the user.target.name field.
     
+### Wmic Process Call Creation
+  - 01/08/2023 - major - Rewritten as a regex to reduce false positives
+    
 ### Correlation Potential DNS Tunnel
   - 19/07/2023 - major - New regex pattern and new filters.
     
@@ -143,10 +149,10 @@ Changelog _last update on 2023-10-24_
 ### Mimikatz LSASS Memory Access
   - 21/06/2023 - minor - Whitelisted lsm.exe that triggered too many false positives.
     
-### HackTools Suspicious Process Names In Command Line
+### Msdt (Follina) File Browse Process Execution
   - 19/06/2023 - minor - Added filter to the rule to reduce false positives.
     
-### Msdt (Follina) File Browse Process Execution
+### HackTools Suspicious Process Names In Command Line
   - 19/06/2023 - minor - Added filter to the rule to reduce false positives.
     
 ### SolarWinds Wrong Child Process
@@ -173,10 +179,10 @@ Changelog _last update on 2023-10-24_
 ### WMImplant Hack Tool
   - 26/05/2023 - minor - Added a filter to the rule as many false positives were observed.
     
-### Internet Scanner
+### Internet Scanner Target
   - 28/04/2023 - minor - Support for standard ECS FW fields
     
-### Internet Scanner Target
+### Internet Scanner
   - 28/04/2023 - minor - Support for standard ECS FW fields
     
 ### Remote Privileged Group Enumeration
@@ -185,14 +191,14 @@ Changelog _last update on 2023-10-24_
 ### Audio Capture via PowerShell
   - 18/04/2023 - minor - Use more specific patterns to fix false positives.
     
-### LSASS Memory Dump
-  - 06/04/2023 - minor - Rule effort has been upgraded to master considering the number of different false positives the rule can trigger.
+### Mimikatz Basic Commands
+  - 06/04/2023 - minor - Added a filter to the rule as many false positives were observed.
     
 ### Active Directory User Backdoors
   - 06/04/2023 - minor - Removed a selection as it triggered too many false positives, and the detection was not part of the main goal of this rule.
     
-### Mimikatz Basic Commands
-  - 06/04/2023 - minor - Added a filter to the rule as many false positives were observed.
+### LSASS Memory Dump
+  - 06/04/2023 - minor - Rule effort has been upgraded to master considering the number of different false positives the rule can trigger.
     
 ### Suspicious PowerShell Invocations - Generic
   - 28/03/2023 - minor - Excluded some commonly observed false positives.
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
index 7d08758b0a..8ffc5bfd97 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Rules catalog includes **764 built-in detection rules** ([_last update on 2023-10-24_](rules_changelog.md)).
+Rules catalog includes **768 built-in detection rules** ([_last update on 2023-11-02_](rules_changelog.md)).
 ## Reconnaissance
 **Gather Victim Network Information**
 
@@ -1773,6 +1773,10 @@ Rules catalog includes **764 built-in detection rules** ([_last update on 2023-1
     
     - **Effort:** intermediate
     
+    - **Changelog:**
+    
+        - 19/10/2023 - major - Review of the rule to reduce false positives.
+            
 ??? abstract "Suspicious XOR Encoded PowerShell Command Line"
     
     Detects suspicious powershell process which includes bxor command, alternative obfuscation  method to b64 encoded commands.
@@ -4160,6 +4164,12 @@ Rules catalog includes **764 built-in detection rules** ([_last update on 2023-1
     
 **Modify Authentication Process**
 
+??? abstract "Active Directory Shadow Credentials"
+    
+    Detects alternative credentials material adding. Attackers can abuse msDS-KeyCredentialLink and create a key pair to obtain a persistent and stealthy access to the target user or computer. 
+    
+    - **Effort:** elementary
+    
 ??? abstract "KeePass Config XML In Command-Line"
     
     Detects a command-line interaction with the KeePass Config XML file. It could be used to retrieve informations or to be abused for persistence.
@@ -4673,6 +4683,152 @@ Rules catalog includes **764 built-in detection rules** ([_last update on 2023-1
     
     - **Effort:** intermediate
     
+**Account Manipulation**
+
+??? abstract "AWS CloudTrail IAM Failed User Creation"
+    
+    Detects an attemp to create a user account where the result is an explicit denied.
+    
+    - **Effort:** intermediate
+    
+??? abstract "AWS CloudTrail IAM Password Policy Updated"
+    
+    Detects an update to the password policy. This could be an attempt to lower accounts security level.
+    
+    - **Effort:** intermediate
+    
+??? abstract "AWS CloudTrail IAM Policy Changed"
+    
+    Detects change on AWS IAM Policy
+    
+    - **Effort:** master
+    
+??? abstract "AWS CloudTrail Root ConsoleLogin"
+    
+    Detects a login with a root account on AWS portal. It is a best practice to avoid root account usage for daily tasks and to create an IAM admin user.
+    
+    - **Effort:** intermediate
+    
+??? abstract "AWS CloudTrail Route 53 Domain Transfer Attempt"
+    
+    Detects when a request in success or failure is made to transfer a domain name to an other AWS account
+    
+    - **Effort:** intermediate
+    
+??? abstract "AWS CloudTrail Route 53 Domain Transfer Lock Disabled"
+    
+    Detects when the transfer lock feature is disabled on a domain name handled by AWS Route 53 service.
+    
+    - **Effort:** elementary
+    
+??? abstract "Active Directory Delegate To KRBTGT Service"
+    
+    Detects potential persistence installation from an already compromised administrator domain account. The attacker will create a TGT and abuse a service account with the constrained delegation and update it with the krbtgt service. The detection relies on the Event ID 4738.
+    
+    - **Effort:** intermediate
+    
+??? abstract "Active Directory Replication User Backdoor"
+    
+    Backdooring domain object to grant the rights associated with DCSync to regular user or machine account, this technics is often used to give ResetPassword or WriteMembers or DCSync permission(s) for persistency on a domain. 
+    
+    - **Effort:** advanced
+    
+??? abstract "Active Directory User Backdoors"
+    
+    Detects scenarios where the attacker controls another user or computer account without having to use their credentials.
+    
+    - **Effort:** intermediate
+    
+    - **Changelog:**
+    
+        - 06/04/2023 - minor - Removed a selection as it triggered too many false positives, and the detection was not part of the main goal of this rule.
+            
+??? abstract "Add User to Privileged Group"
+    
+    Add user in a potential privileged group which can be used to elevate privileges on the system
+    
+    - **Effort:** advanced
+    
+??? abstract "Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"
+    
+    Detects self-service password reset in failure for various reasons (except licence or policy ones)
+    
+    - **Effort:** master
+    
+??? abstract "Mimikatz Basic Commands"
+    
+    Detects Mimikatz most popular commands. 
+    
+    - **Effort:** elementary
+    
+    - **Changelog:**
+    
+        - 06/04/2023 - minor - Added a filter to the rule as many false positives were observed.
+            
+??? abstract "Okta Admin Privilege Granted"
+    
+    Administrator privilege granted to an user or account. This can be privilege escalation, persistance over system or account takedown.
+    
+    - **Effort:** advanced
+    
+??? abstract "Okta Application deleted"
+    
+    An application has been delete on Okta SSO.
+    
+    - **Effort:** advanced
+    
+??? abstract "Okta Application modified"
+    
+    An application has been updated on Okta SSO.
+    
+    - **Effort:** advanced
+    
+??? abstract "Okta User Account Deactivated"
+    
+    An user account has been deactivated in Okta.
+    
+    - **Effort:** master
+    
+??? abstract "Okta User Impersonation Access"
+    
+    A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.
+    
+    - **Effort:** advanced
+    
+??? abstract "Password Change On Directory Service Restore Mode (DSRM) Account"
+    
+    The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
+    
+    - **Effort:** intermediate
+    
+??? abstract "Privileged AD Builtin Group Modified"
+    
+    Detects changes to privileged AD builtin groups in Active Directory that could indicate malicious or unexpected administrative activity. This detection rule detects changes on specific groups that are Administrators (S-1-5-*-500), Domain Admins (S-1-5-*-512), Enterprise Admins (S-1-5-*-519), Schema Admins (S-1-5-*-518), Account Operators (S-1-5-32-548) and Backup Operators (S-1-5-32-551).
+    
+    - **Effort:** master
+    
+    - **Changelog:**
+    
+        - 10/07/2023 - minor - Added AD groups and change to effort master.
+            
+??? abstract "SSH Authorized Key Alteration"
+    
+    The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision
+    
+    - **Effort:** advanced
+    
+??? abstract "SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory"
+    
+    Detects the SeEnableDelegationPrivilege right in Active Directory granted to a user of a computer, it would allow control of other AD user objects
+    
+    - **Effort:** elementary
+    
+??? abstract "User Added to Local Administrators"
+    
+    Detects when user accounts are added which could be legitimate activity or a sign of privilege escalation activity, Potential False-Positives Legitimate administrative activity WinRM clients
+    
+    - **Effort:** intermediate
+    
 **Web Shell**
 
 ??? abstract "Antivirus Web Shell Detection"
@@ -5491,6 +5647,12 @@ Rules catalog includes **764 built-in detection rules** ([_last update on 2023-1
     
     - **Effort:** advanced
     
+??? abstract "Linux Binary Masquerading"
+    
+    Attackers could rename legitimate system bin to evade security mechanisme
+    
+    - **Effort:** elementary
+    
 ??? abstract "New Or Renamed User Account With '$' In Attribute 'SamAccountName'"
     
     Detects possible bypass EDR and SIEM via abnormal user account name.
@@ -6609,6 +6771,12 @@ Rules catalog includes **764 built-in detection rules** ([_last update on 2023-1
             
 **Modify Authentication Process**
 
+??? abstract "Active Directory Shadow Credentials"
+    
+    Detects alternative credentials material adding. Attackers can abuse msDS-KeyCredentialLink and create a key pair to obtain a persistent and stealthy access to the target user or computer. 
+    
+    - **Effort:** elementary
+    
 ??? abstract "KeePass Config XML In Command-Line"
     
     Detects a command-line interaction with the KeePass Config XML file. It could be used to retrieve informations or to be abused for persistence.
@@ -7225,6 +7393,14 @@ Rules catalog includes **764 built-in detection rules** ([_last update on 2023-1
     
     - **Effort:** elementary
     
+**Reflective Code Loading**
+
+??? abstract "Linux Fileless Execution"
+    
+    Process image resolved to memfd syscall. Could be used by adversaries to hide malware
+    
+    - **Effort:** intermediate
+    
 ## Credential Access
 **OS Credential Dumping**
 
@@ -7525,6 +7701,10 @@ Rules catalog includes **764 built-in detection rules** ([_last update on 2023-1
     
     - **Effort:** intermediate
     
+    - **Changelog:**
+    
+        - 26/10/2023 - minor - Added filter to reduce false positives.
+            
 **Network Sniffing**
 
 ??? abstract "Capture a network trace with netsh.exe"
@@ -7703,6 +7883,12 @@ Rules catalog includes **764 built-in detection rules** ([_last update on 2023-1
     
         - 27/03/2023 - minor - Modify pattern to avoid false positive and detect usage of either / or - character for snapshot parameter
             
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+    
 ??? abstract "Google Cloud Audit Logs 2FA Disabled"
     
     Detects when Google Cloud Audit Logs notify the 2FA deactivation for a user account.
@@ -7754,6 +7940,12 @@ Rules catalog includes **764 built-in detection rules** ([_last update on 2023-1
     
 **Modify Authentication Process**
 
+??? abstract "Active Directory Shadow Credentials"
+    
+    Detects alternative credentials material adding. Attackers can abuse msDS-KeyCredentialLink and create a key pair to obtain a persistent and stealthy access to the target user or computer. 
+    
+    - **Effort:** elementary
+    
 ??? abstract "KeePass Config XML In Command-Line"
     
     Detects a command-line interaction with the KeePass Config XML file. It could be used to retrieve informations or to be abused for persistence.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md
index 1250162320..2efe1a20cd 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md
@@ -117,6 +117,12 @@ The following Sekoia.io built-in rules match the intake **Elastic AuditBeat Linu
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
@@ -261,6 +267,12 @@ The following Sekoia.io built-in rules match the intake **Elastic AuditBeat Linu
     
     - **Effort:** advanced
 
+??? abstract "File and Directory Permissions Modification"
+    
+    Detects the use of chmod to give high level permissions to file that might be binary files
+    
+    - **Effort:** advanced
+
 ??? abstract "Grabbing Sensitive Hives Via Reg Utility"
     
     Detects dump of SAM, System or Security hives using reg.exe utility. Adversaries may attempt to dump these Windows Registry to retrieve password hashes and access credentials.
@@ -327,6 +339,12 @@ The following Sekoia.io built-in rules match the intake **Elastic AuditBeat Linu
     
     - **Effort:** elementary
 
+??? abstract "Linux Binary Masquerading"
+    
+    Attackers could rename legitimate system bin to evade security mechanisme
+    
+    - **Effort:** elementary
+
 ??? abstract "List Shadow Copies"
     
     Detects command line used to list shadow copies. An adversary may attempt to get information on shadow volumes to perform deletion or extract password hashes from the ntds.dit file. This rule requires command line logging or Windows PowerShell events (4104).
@@ -675,12 +693,30 @@ The following Sekoia.io built-in rules match the intake **Elastic AuditBeat Linu
     
     - **Effort:** intermediate
 
+??? abstract "SSH Tunnel Traffic"
+    
+    When a user creates and uses a SSH tunnel in Linux, the sshd process opens sockets to communicate with other machines or ports. With SSH tunneling, the SSH server can be used as a getaway to access internal systems. The traffic will seem to be coming from the SSH server whereas it only acts as a relay for an attacker. By using this technique, an attacker can successfully bypass external firewall rules and gain foothold to your network, allowing him to scan,hunt and attack your internal systems. This rule includes a filter on port 22, this filter is created to avoid false positive when a user is connecting via ssh. If you do not use port 22 for your machines, please create an alert filter.
+    
+    - **Effort:** advanced
+
+??? abstract "SSH X11 Forwarding"
+    
+    When a user creates and uses SSH X11 Forwarding in Linux, the sshd process opens sockets to communicate with the client machine via a ssh tunnel. X11 forwarding is used to deport graphic programs on the client side.
+    
+    - **Effort:** advanced
+
 ??? abstract "Schtasks Persistence With High Privileges"
     
     Detection of scheduled task with high privileges used by attacker for persistence.
     
     - **Effort:** elementary
 
+??? abstract "Setuid Or Setgid Usage"
+    
+    Detects the usage of a setuid or a setgid.
+    
+    - **Effort:** intermediate
+
 ??? abstract "Spyware Persistence Using Schtasks"
     
     Detects possible Agent Tesla or Formbook persistence using schtasks. The name of the scheduled task used by these malware is very specific (Updates/randomstring).
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
index b6a0df237e..a4a04784a7 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
@@ -135,6 +135,12 @@ The following Sekoia.io built-in rules match the intake **WithSecure Elements**.
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md
index a923bc3098..404c9e339c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md
@@ -171,6 +171,12 @@ The following Sekoia.io built-in rules match the intake **Microsoft 365 Defender
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
index 8637a40694..4fcc70b7ee 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
@@ -171,6 +171,12 @@ The following Sekoia.io built-in rules match the intake **Trend Micro Apex One**
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.md
index 5a6a28e2fd..2ae1c47aa7 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.md
@@ -3,6 +3,12 @@
 The following Sekoia.io built-in rules match the intake **Cloudflare HTTP requests**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cloudflare HTTP requests on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json){ .md-button }
+??? abstract "Cloudflare HTTP Requests Rule Block Or Drop"
+    
+    Detects when one of Cloudflare Web Application Firewall (WAF) Managed rule blocked or dropped an HTTP request. It requires only Cloudflare HTTP requests logs.
+    
+    - **Effort:** master
+
 ??? abstract "Nimbo-C2 User Agent"
     
     Nimbo-C2 Uses an unusual User-Agent format in its implants.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
index 157459b8b5..7d4a95d443 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
@@ -123,6 +123,12 @@ The following Sekoia.io built-in rules match the intake **Cybereason EDR activit
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
index 405658ce88..d5d7883d0d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
@@ -153,6 +153,12 @@ The following Sekoia.io built-in rules match the intake **CrowdStrike Falcon**.
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md
index 4d638c9b76..d9137efdde 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md
@@ -81,6 +81,12 @@ The following Sekoia.io built-in rules match the intake **Sekoia.io Endpoint Age
     
     - **Effort:** advanced
 
+??? abstract "Active Directory Shadow Credentials"
+    
+    Detects alternative credentials material adding. Attackers can abuse msDS-KeyCredentialLink and create a key pair to obtain a persistent and stealthy access to the target user or computer. 
+    
+    - **Effort:** elementary
+
 ??? abstract "Active Directory User Backdoors"
     
     Detects scenarios where the attacker controls another user or computer account without having to use their credentials.
@@ -261,6 +267,12 @@ The following Sekoia.io built-in rules match the intake **Sekoia.io Endpoint Age
     
     - **Effort:** advanced
 
+??? abstract "Cisco Umbrella Threat Detected"
+    
+    Cisco Umbrella has detected a malicious traffic categorized as malware, phishing or adware.
+    
+    - **Effort:** intermediate
+
 ??? abstract "Clear EventLogs Through CommandLine"
     
     Detects a command that clears event logs which could indicate an attempt from an attacker to erase its previous traces.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
index b23898b50f..c41697a784 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
@@ -195,6 +195,12 @@ The following Sekoia.io built-in rules match the intake **Azure Windows**. This
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
index 09379183d8..dd818a818e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
@@ -183,6 +183,12 @@ The following Sekoia.io built-in rules match the intake **HarfangLab EDR**. This
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md
index 98138ac873..bdcf0248d4 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md
@@ -225,6 +225,12 @@ The following Sekoia.io built-in rules match the intake **SentinelOne Cloud Funn
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.md
index 7db8b91f9c..6e6d88e241 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ## Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Cato Networks SASE [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Cato Networks SASE**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Cato Networks SASE [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Cato Networks SASE on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json){ .md-button }
 ??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit"
     
     Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA. 
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
index 1a0ce2deab..1e3a88a116 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ## Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **Cisco NX-OS [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **Cisco NX-OS**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x Cisco NX-OS [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x Cisco NX-OS on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
     
     Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL.
@@ -141,6 +141,12 @@ The following Sekoia.io built-in rules match the intake **Cisco NX-OS [BETA]**.
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.md
new file mode 100644
index 0000000000..d289edc35b
--- /dev/null
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.md
@@ -0,0 +1,544 @@
+## Related Built-in Rules
+
+The following Sekoia.io built-in rules match the intake **Tanium**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+
+[SEKOIA.IO x Tanium on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json){ .md-button }
+??? abstract "Address Space Layout Randomization (ASLR) Alteration"
+    
+    ASLR is a security feature used by the Operating System to mitigate memory exploit, attacker might want to disable it
+    
+    - **Effort:** intermediate
+
+??? abstract "Advanced IP Scanner"
+    
+    Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
+    
+    - **Effort:** master
+
+??? abstract "Audio Capture via PowerShell"
+    
+    Detects audio capture via PowerShell Cmdlet
+    
+    - **Effort:** intermediate
+
+??? abstract "BazarLoader Persistence Using Schtasks"
+    
+    Detects possible BazarLoader persistence using schtasks. BazarLoader will create a Scheduled Task using a specific command line to establish its persistence.
+    
+    - **Effort:** intermediate
+
+??? abstract "Blue Mockingbird Malware"
+    
+    Attempts to detect system changes made by Blue Mockingbird
+    
+    - **Effort:** elementary
+
+??? abstract "CertOC Loading Dll"
+    
+    Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
+    
+    - **Effort:** intermediate
+
+??? abstract "Change Default File Association"
+    
+    When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
+    
+    - **Effort:** advanced
+
+??? abstract "Clear EventLogs Through CommandLine"
+    
+    Detects a command that clears event logs which could indicate an attempt from an attacker to erase its previous traces.
+    
+    - **Effort:** intermediate
+
+??? abstract "Commonly Used Commands To Stop Services And Remove Backups"
+    
+    Detects specific commands used regularly by ransomwares to stop services or remove backups
+    
+    - **Effort:** intermediate
+
+??? abstract "Control Panel Items"
+    
+    Detects the malicious use of a control panel item
+    
+    - **Effort:** advanced
+
+??? abstract "Cron Files Alteration"
+    
+    Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
+    
+    - **Effort:** advanced
+
+??? abstract "DNS Exfiltration and Tunneling Tools Execution"
+    
+    Well-known DNS exfiltration tools execution
+    
+    - **Effort:** intermediate
+
+??? abstract "Data Compressed With Rar With Password"
+    
+    An adversary may compress data in order to make it portable and minimize the amount of data sent over the network, this could be done the popular rar command line program. This is a more specific one for rar where the arguments allow to encrypt both file data and headers with a given password.
+    
+    - **Effort:** intermediate
+
+??? abstract "Debugging Software Deactivation"
+    
+    Deactivation of some debugging softwares using taskkill command. It was observed being used by Ransomware operators.
+    
+    - **Effort:** elementary
+
+??? abstract "Default Encoding To UTF-8 PowerShell"
+    
+    Detects PowerShell encoding to UTF-8, which is used by Sliver implants. The command line just sets the default encoding to UTF-8 in PowerShell.
+    
+    - **Effort:** advanced
+
+??? abstract "Disable Task Manager Through Registry Key"
+    
+    Detects commands used to disable the Windows Task Manager by modifying the proper registry key in order to impair security tools. This technique is used by the Agent Tesla RAT, among others.
+    
+    - **Effort:** elementary
+
+??? abstract "Disabled IE Security Features"
+    
+    Detects from the command lines or the registry, changes that indicate unwanted modifications to registry keys that disable important Internet Explorer security features. This has been used by attackers during Operation Ke3chang.
+    
+    - **Effort:** advanced
+
+??? abstract "Domain Trust Discovery Through LDAP"
+    
+    Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. "trustedDomain" which is detected here is a Microsoft Active Directory ObjectClass Type that represents a domain that is trusted by, or trusting, the local AD DOMAIN. Several tools are using LDAP queries in the end to get the information (DSQuery, sometimes ADFind as well, etc.)
+    
+    - **Effort:** elementary
+
+??? abstract "Dynamic Linker Hijacking From Environment Variable"
+    
+    LD_PRELOAD and LD_LIBRARY_PATH are environment variables used by the Operating System at the runtime to load shared objects (library.ies) when executing a new process, attacker can overwrite this variable to attempts a privileges escalation.
+    
+    - **Effort:** advanced
+
+??? abstract "ETW Tampering"
+    
+    Detects a command that clears or disables any ETW Trace log which could indicate a logging evasion
+    
+    - **Effort:** intermediate
+
+??? abstract "Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"
+    
+    Detects PowerShell SnapIn command line, often used with Get-Mailbox to export Exchange mailbox data.
+    
+    - **Effort:** intermediate
+
+??? abstract "Exfiltration Domain In Command Line"
+    
+    Detects commands containing a domain linked to http exfiltration.
+    
+    - **Effort:** intermediate
+
+??? abstract "Exploiting SetupComplete.cmd CVE-2019-1378"
+    
+    Detects exploitation attempts of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
+    
+    - **Effort:** intermediate
+
+??? abstract "HackTools Suspicious Process Names In Command Line"
+    
+    Detects the default process name of several HackTools and also check in command line. This rule is here for quickwins as it obviously has many blind spots.
+    
+    - **Effort:** intermediate
+
+??? abstract "High Privileges Network Share Removal"
+    
+    Detects high privileges shares being deleted with the net share command.
+    
+    - **Effort:** intermediate
+
+??? abstract "ICacls Granting Access To All"
+    
+    Detects suspicious icacls command granting access to all, used by the ransomware Ryuk to delete every access-based restrictions on files and directories. ICacls is a built-in Windows command to interact with the Discretionary Access Control Lists (DACLs) which can grand adversaries higher permissions on specific files and folders.
+    
+    - **Effort:** elementary
+
+??? abstract "KeePass Config XML In Command-Line"
+    
+    Detects a command-line interaction with the KeePass Config XML file. It could be used to retrieve informations or to be abused for persistence.
+    
+    - **Effort:** intermediate
+
+??? abstract "Lazarus Loaders"
+    
+    Detects different loaders used by the Lazarus Group APT
+    
+    - **Effort:** elementary
+
+??? abstract "Listing Systemd Environment"
+    
+    Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host.
+    
+    - **Effort:** elementary
+
+??? abstract "Malicious Browser Extensions"
+    
+    Detects browser extensions being loaded with the --load-extension and -base-url options, which works on Chromium-based browsers. We are looking for potentially malicious browser extensions. These extensions can get access to informations.
+    
+    - **Effort:** advanced
+
+??? abstract "MalwareBytes Uninstallation"
+    
+    Detects command line being used by attackers to uninstall Malwarebytes.
+    
+    - **Effort:** intermediate
+
+??? abstract "MavInject Process Injection"
+    
+    Detects process injection using the signed Windows tool Mavinject32.exe (which is a LOLBAS)
+    
+    - **Effort:** intermediate
+
+??? abstract "Microsoft Defender Antivirus Disable Using Registry"
+    
+    The rule detects attempts to deactivate/disable Microsoft Defender Antivirus using registry modification via command line.
+    
+    - **Effort:** master
+
+??? abstract "Microsoft Defender Antivirus Disabled Base64 Encoded"
+    
+    Detects attempts to deactivate/disable Windows Defender through base64 encoded PowerShell command line.
+    
+    - **Effort:** elementary
+
+??? abstract "Microsoft Defender Antivirus History Directory Deleted"
+    
+    Windows Defender history directory has been deleted. Could be an attempt by an attacker to remove its traces.
+    
+    - **Effort:** elementary
+
+??? abstract "Microsoft Defender Antivirus Restoration Abuse"
+    
+    The rule detects attempts to abuse Windows Defender file restoration tool. The Windows Defender process is allowed to write files in its own protected directory. This functionality can be used by a threat actor to overwrite Windows Defender files in order to prevent it from running correctly or use Windows Defender to execute a malicious DLL.
+    
+    - **Effort:** intermediate
+
+??? abstract "Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"
+    
+    Detects changes of preferences for Windows Defender scan and updates. Configure Windows Defender using base64-encoded commands is suspicious and could be related to malicious activities.
+    
+    - **Effort:** intermediate
+
+??? abstract "Microsoft Defender Antivirus Signatures Removed With MpCmdRun"
+    
+    Detects attempts to remove Windows Defender Signatures using MpCmdRun legitimate Windows Defender executable. No signatures mean Windows Defender will be less effective (or completely useless depending on the option used).
+    
+    - **Effort:** elementary
+
+??? abstract "NTDS.dit File Interaction Through Command Line"
+    
+    Detects interaction with the file NTDS.dit through command line. This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.
+    
+    - **Effort:** intermediate
+
+??? abstract "NetSh Used To Disable Windows Firewall"
+    
+    Detects NetSh commands used to disable the Windows Firewall
+    
+    - **Effort:** intermediate
+
+??? abstract "Netsh Allowed Python Program"
+    
+    Detects netsh command that performs modification on Firewall rules to allow the program python.exe. This activity is most likely related to the deployment of a Python server or an application that needs to communicate over a network. Threat actors could use it for data extraction, hosting a webshell or else.
+    
+    - **Effort:** intermediate
+
+??? abstract "Netsh Port Forwarding"
+    
+    Detects netsh commands that enable a port forwarding between to hosts. This can be used by attackers to tunnel RDP or SMB shares for example.
+    
+    - **Effort:** elementary
+
+??? abstract "Netsh RDP Port Forwarding"
+    
+    Detects netsh commands that configure a port forwarding of port 3389 used for RDP. This is commonly used by attackers during lateralization on windows environments.
+    
+    - **Effort:** elementary
+
+??? abstract "New DLL Added To AppCertDlls Registry Key"
+    
+    Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13).
+    
+    - **Effort:** intermediate
+
+??? abstract "NjRat Registry Changes"
+    
+    Detects changes for the RUN registry key which happen when a victim is infected by NjRAT. Please note that even if NjRat is well-known for the behavior the rule catches, the rule is a bit larger and could catch other malwares.
+    
+    - **Effort:** intermediate
+
+??? abstract "NlTest Usage"
+    
+    Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. These command lines were observed in numerous attacks, but also sometimes from legitimate administrators for debugging purposes. The rule does not cover very basics commands but rather the ones that are interesting for attackers to gather information on a domain.
+    
+    - **Effort:** intermediate
+
+??? abstract "Non-Legitimate Executable Using AcceptEula Parameter"
+    
+    Detects accepteula in command line with non-legitimate executable name. Some attackers are masquerading SysInternals tools with decoy names to prevent detection.
+    
+    - **Effort:** intermediate
+
+??? abstract "Outlook Registry Access"
+    
+    Detection of accesses to Microsoft Outlook registry hive, which might contain sensitive information.
+    
+    - **Effort:** elementary
+
+??? abstract "Package Manager Alteration"
+    
+    Package manager (eg: apt, yum) can be altered to install malicious software
+    
+    - **Effort:** advanced
+
+??? abstract "Phorpiex DriveMgr Command"
+    
+    Detects specific command used by the Phorpiex botnet to execute a copy of the loader during its self-spreading stage. As described by Microsoft, this behavior is unique and easily identifiable due to the use of folders named with underscores "__" and the PE name "DriveMgr.exe".
+    
+    - **Effort:** elementary
+
+??? abstract "Phorpiex Process Masquerading"
+    
+    Detects specific process executable path used by the Phorpiex botnet to masquerade its system process network activity. It looks for a pattern of a system process executable name that is not legitimate and running from a folder that is created via a random algorithm 13-15 numbers long.
+    
+    - **Effort:** elementary
+
+??? abstract "PowerCat Function Loading"
+    
+    Detect a basic execution of PowerCat. PowerCat is a PowerShell function allowing to do basic connections, file transfer, shells, relays, generate payloads.
+    
+    - **Effort:** intermediate
+
+??? abstract "PowerShell AMSI Deactivation Bypass Using .NET Reflection"
+    
+    Detects Request to amsiInitFailed that can be used to disable AMSI (Antimalware Scan Interface) Scanning. More information about Antimalware Scan Interface https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal.
+    
+    - **Effort:** elementary
+
+??? abstract "PowerShell EncodedCommand"
+    
+    Detects popular file extensions in commands obfuscated in base64 run through the EncodedCommand option.
+    
+    - **Effort:** advanced
+
+??? abstract "Powershell UploadString Function"
+    
+    Powershell's `uploadXXX` functions are a category of methods which can be used to exfiltrate data through native means on a Windows host. 
+    
+    - **Effort:** intermediate
+
+??? abstract "Process Memory Dump Using Comsvcs"
+    
+    Detects the use of comsvcs in command line to dump a specific proces memory. This techinique is widlely used by attackers for privilege escalation and pivot.
+    
+    - **Effort:** elementary
+
+??? abstract "Process Memory Dump Using Rdrleakdiag"
+    
+    Detects the use of rdrleakdiag.exe in command line to dump the memory of a process. This technique is used by attackers for privilege escalation and pivot.
+    
+    - **Effort:** elementary
+
+??? abstract "Process Trace Alteration"
+    
+    PTrace syscall provides a means by which one process ("tracer") may observe and control the execution of another process ("tracee") and examine and change the tracee's memory and registers. Attacker might want to abuse ptrace functionnality to analyse memory process. It requires to be admin or set ptrace_scope to 0 to allow all user to trace any process.
+    
+    - **Effort:** advanced
+
+??? abstract "Python HTTP Server"
+    
+    Detects command used to start a Simple HTTP server in Python. Threat actors could use it for data extraction, hosting a webshell or else.
+    
+    - **Effort:** intermediate
+
+??? abstract "Qakbot Persistence Using Schtasks"
+    
+    Detects possible Qakbot persistence using schtasks.
+    
+    - **Effort:** intermediate
+
+??? abstract "RYUK Ransomeware - martinstevens Username"
+    
+    Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.
+    
+    - **Effort:** elementary
+
+??? abstract "Raccine Uninstall"
+    
+    Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
+    
+    - **Effort:** elementary
+
+??? abstract "RedMimicry Winnti Playbook Registry Manipulation"
+    
+    Detects actions caused by the RedMimicry Winnti playbook. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13).
+    
+    - **Effort:** elementary
+
+??? abstract "Rubeus Tool Command-line"
+    
+    Detects command line parameters used by Rubeus, a toolset to interact with Kerberos and abuse it.
+    
+    - **Effort:** advanced
+
+??? abstract "SEKOIA.IO Intelligence Feed"
+    
+    Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
+    
+    - **Effort:** elementary
+
+??? abstract "SOCKS Tunneling Tool"
+    
+    Detects the usage of a SOCKS tunneling tool, often used by threat actors. These tools often use the socks5 commandline argument, however socks4 can sometimes be used as well. Unfortunately, socks alone (without any number) triggered too many false positives. 
+    
+    - **Effort:** intermediate
+
+??? abstract "SSH Authorized Key Alteration"
+    
+    The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision
+    
+    - **Effort:** advanced
+
+??? abstract "Sliver DNS Beaconing"
+    
+    Detects suspicious DNS queries known from Sliver beaconing 
+    
+    - **Effort:** intermediate
+
+??? abstract "Spyware Persistence Using Schtasks"
+    
+    Detects possible Agent Tesla or Formbook persistence using schtasks. The name of the scheduled task used by these malware is very specific (Updates/randomstring).
+    
+    - **Effort:** intermediate
+
+??? abstract "Suncrypt Parameters"
+    
+    Detects SunCrypt ransomware's parameters, most of which are unique.
+    
+    - **Effort:** elementary
+
+??? abstract "Suspicious Cmd File Copy Command To Network Share"
+    
+    Copy suspicious files through Windows cmd prompt to network share
+    
+    - **Effort:** intermediate
+
+??? abstract "Suspicious DLL Loading By Ordinal"
+    
+    Detects suspicious DLL Loading by ordinal number in a non legitimate or rare folders. For example, Sofacy (APT28) used this technique to load their Trojan in a campaign of 2018.
+    
+    - **Effort:** intermediate
+
+??? abstract "Suspicious Microsoft Defender Antivirus Exclusion Command"
+    
+    Detects PowerShell commands aiming to exclude path, process, IP address, or extension from scheduled and real-time scanning. These commands can be used by attackers or malware to avoid being detected by Windows Defender. Depending on the environment and the installed software, this detection rule could raise false positives. We recommend customizing this rule by filtering legitimate processes that use Windows Defender exclusion command in your environment.
+    
+    - **Effort:** master
+
+??? abstract "Suspicious Netsh DLL Persistence"
+    
+    Detects persitence via netsh helper. Netsh interacts with other operating system components using dynamic-link library (DLL) files. Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs.
+    
+    - **Effort:** elementary
+
+??? abstract "Suspicious PowerShell Invocations - Specific"
+    
+    Detects suspicious PowerShell invocation command parameters
+    
+    - **Effort:** intermediate
+
+??? abstract "Suspicious PrinterPorts Creation (CVE-2020-1048)"
+    
+    Detects new commands that add new printer port which point to suspicious file
+    
+    - **Effort:** advanced
+
+??? abstract "Suspicious Process Requiring DLL Starts Without DLL"
+    
+    Detects potential process injection and hollowing on processes that usually require a DLL to be launched, but are launched without any argument. 
+    
+    - **Effort:** intermediate
+
+??? abstract "Suspicious Scheduled Task Creation"
+    
+    Detects suspicious scheduled task creation, either executed by a non-system user or a user who is not administrator (the user ID is not S-1-5-18 or S-1-5-18-*). This detection rule doesn't match Sysmon EventID 1 because the user SID is always set to S-1-5-18. 
+    
+    - **Effort:** intermediate
+
+??? abstract "Suspicious Taskkill Command"
+    
+    Detects rare taskkill command being used. It could be related to Baby Shark malware.
+    
+    - **Effort:** intermediate
+
+??? abstract "Suspicious Windows Installer Execution"
+    
+    Detects suspicious execution of the Windows Installer service (msiexec.exe) which could be used to install a malicious MSI package hosted on a remote server.
+    
+    - **Effort:** intermediate
+
+??? abstract "UAC Bypass Via Sdclt"
+    
+    Detects changes to HKCU\Software\Classes\exefile\shell\runas\command\isolatedCommand by an attacker in order to bypass User Account Control (UAC)
+    
+    - **Effort:** elementary
+
+??? abstract "UAC Bypass via Event Viewer"
+    
+    Detects UAC bypass method using Windows event viewer. 
+    
+    - **Effort:** elementary
+
+??? abstract "Usage Of Procdump With Common Arguments"
+    
+    Detects the usage of Procdump sysinternals tool with some common arguments and followed by common patterns.
+    
+    - **Effort:** intermediate
+
+??? abstract "WMI Install Of Binary"
+    
+    Detection of WMI used to install a binary on the host. It is often used by attackers as a signed binary to infect an host.
+    
+    - **Effort:** elementary
+
+??? abstract "WMIC Uninstall Product"
+    
+    Detects products being uninstalled using WMIC command.
+    
+    - **Effort:** intermediate
+
+??? abstract "WiFi Credentials Harvesting Using Netsh"
+    
+    Detects the harvesting of WiFi credentials using netsh.exe, used in particular by Agent Tesla (RAT) and Turla Mosquito (RAT)
+    
+    - **Effort:** elementary
+
+??? abstract "Windows Firewall Changes"
+    
+    Detects changes on Windows Firewall configuration
+    
+    - **Effort:** master
+
+??? abstract "Wmic Process Call Creation"
+    
+    The WMI command-line (WMIC) utility provides a command-line interface for Windows Management Instrumentation (WMI). WMIC is compatible with existing shells and utility commands. Although WMI is supposed to be an administration tool, it is wildy abused by threat actors. One of the reasons is WMI is quite stealthy. This rule detects the wmic command line launching a process on a remote or local host.
+    
+    - **Effort:** intermediate
+
+??? abstract "Wmic Service Call"
+    
+    Detects either remote or local code execution using wmic tool.
+    
+    - **Effort:** intermediate
+
+??? abstract "XCopy Suspicious Usage"
+    
+    Detects the usage of xcopy with suspicious command line options (used by Judgment Panda APT in the past). The rule is based on command line only in case xcopy is renamed.
+    
+    - **Effort:** advanced
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md
index bd884205f0..b7d1d04369 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md
@@ -231,6 +231,12 @@ The following Sekoia.io built-in rules match the intake **SentinelOne Cloud Funn
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
index 96a4c39d1b..3bb5ac75b9 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
@@ -165,6 +165,12 @@ The following Sekoia.io built-in rules match the intake **TEHTRIS EDR**. This do
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
index 437da4910a..27d2c89066 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
@@ -81,6 +81,12 @@ The following Sekoia.io built-in rules match the intake **Windows**. This docume
     
     - **Effort:** advanced
 
+??? abstract "Active Directory Shadow Credentials"
+    
+    Detects alternative credentials material adding. Attackers can abuse msDS-KeyCredentialLink and create a key pair to obtain a persistent and stealthy access to the target user or computer. 
+    
+    - **Effort:** elementary
+
 ??? abstract "Active Directory User Backdoors"
     
     Detects scenarios where the attacker controls another user or computer account without having to use their credentials.
@@ -363,6 +369,12 @@ The following Sekoia.io built-in rules match the intake **Windows**. This docume
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
index 99484eda35..38006605f1 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
@@ -159,6 +159,12 @@ The following Sekoia.io built-in rules match the intake **Sophos Analysis Threat
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.md
index ebcb149e31..36b3b96672 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.md
@@ -39,6 +39,18 @@ The following Sekoia.io built-in rules match the intake **Jumpcloud Directory In
     
     - **Effort:** advanced
 
+??? abstract "Jumpcloud Account Locked"
+    
+    A user has been locked on Jumpcloud portal.
+    
+    - **Effort:** intermediate
+
+??? abstract "Jumpcloud Api Key Updated"
+    
+    An API Token has been updated on Jumplcoud portal.
+    
+    - **Effort:** advanced
+
 ??? abstract "Jumpcloud Policy Modified"
     
     Detects when a Jumpcloud policy is modified.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md
index c9d1d66434..b284140e01 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md
@@ -159,6 +159,12 @@ The following Sekoia.io built-in rules match the intake **Trend Micro Cloud One
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.md
new file mode 100644
index 0000000000..8847d33a30
--- /dev/null
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.md
@@ -0,0 +1,202 @@
+## Related Built-in Rules
+
+The following Sekoia.io built-in rules match the intake **Trellix Network Security [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+
+[SEKOIA.IO x Trellix Network Security [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json){ .md-button }
+??? abstract "CVE-2018-11776 Apache Struts2"
+    
+    Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. 
+    
+    - **Effort:** intermediate
+
+??? abstract "CVE-2019-0604 SharePoint"
+    
+    Detects the exploitation of the SharePoint vulnerability (CVE-2019-0604)
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit"
+    
+    Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA. 
+    
+    - **Effort:** elementary
+
+??? abstract "CVE-2020-1147 SharePoint"
+    
+    Detection of SharePoint vulnerability CVE-2020-1147
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2020-14882 Oracle WebLogic Server"
+    
+    Detects the exploitation of the Oracle WebLogic Server vulnerability (CVE-2020-16952)
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2020-17530 Apache Struts RCE"
+    
+    Detects the exploitation of the Apache Struts vulnerability (CVE-2020-17530).
+    
+    - **Effort:** intermediate
+
+??? abstract "CVE-2021-20021 SonicWall Unauthenticated Administrator Access"
+    
+    Detects the exploitation of SonicWall Unauthenticated Admin Access.
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2021-20023 SonicWall Arbitrary File Read"
+    
+    Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data.
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2021-21972 VMware vCenter"
+    
+    The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). POST request on the following PATH "/ui/vropspluginui/rest/services/uploadova". If in response body (500) the words it has "uploadFile", that means the vCenter is available to accept files via POST without any restrictions.
+    
+    - **Effort:** intermediate
+
+??? abstract "CVE-2021-21985 VMware vCenter"
+    
+    The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.0 before 7.0 U2b, 6.7 before 6.7 U3n and 6.5 before 6.5 U3p) and VMware Cloud Foundation (4.x before 4.2.1 and 3.x before 3.10.2.1).
+    
+    - **Effort:** intermediate
+
+??? abstract "CVE-2021-22123 Fortinet FortiWeb OS Command Injection"
+    
+    Detects Fortinet FortiWeb OS Command Injection (August 2021) vulnerability exploitation attempt. A remote, authenticated attacker can execute arbitrary commands on the system hosting a vulnerable FortiWeb WAF by sending a POST request with the command in the name field. At the time of writing this rule, it would appear that the request would respond in code 500 for a successful exploitation attempt. 
+    
+    - **Effort:** advanced
+
+??? abstract "CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"
+    
+    Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product.
+    
+    - **Effort:** intermediate
+
+??? abstract "CVE-2021-26855 Exchange SSRF"
+    
+    Detects the exploitation of ProyxLogon vulerability on Exchange servers.
+    
+    - **Effort:** advanced
+
+??? abstract "Cron Files Alteration"
+    
+    Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
+    
+    - **Effort:** advanced
+
+??? abstract "Detect requests to Konni C2 servers"
+    
+    This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September.
+    
+    - **Effort:** elementary
+
+??? abstract "Download Files From Suspicious TLDs"
+    
+    Detects download of certain file types from hosts in suspicious TLDs
+    
+    - **Effort:** master
+
+??? abstract "FoggyWeb HTTP Default GET/POST Requests"
+    
+    Detects GET or POST request pattern observed within the first FoggyWeb campaign detected by Microsoft.
+    
+    - **Effort:** advanced
+
+??? abstract "Koadic MSHTML Command"
+    
+    Detects Koadic payload using MSHTML module
+    
+    - **Effort:** intermediate
+
+??? abstract "NTDS.dit File In Suspicious Directory"
+    
+    The file NTDS.dit is supposed to be located mainly in C:\Windows\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.
+    
+    - **Effort:** advanced
+
+??? abstract "Nimbo-C2 User Agent"
+    
+    Nimbo-C2 Uses an unusual User-Agent format in its implants.
+    
+    - **Effort:** intermediate
+
+??? abstract "OneNote Embedded File"
+    
+    Detects creation or uses of OneNote embedded files with unusual extensions.  
+    
+    - **Effort:** intermediate
+
+??? abstract "Package Manager Alteration"
+    
+    Package manager (eg: apt, yum) can be altered to install malicious software
+    
+    - **Effort:** advanced
+
+??? abstract "Possible Malicious File Double Extension"
+    
+    Detects request to potential malicious file with double extension
+    
+    - **Effort:** elementary
+
+??? abstract "Potential Bazar Loader User-Agents"
+    
+    Detects potential Bazar loader communications through the user-agent
+    
+    - **Effort:** elementary
+
+??? abstract "Potential Lemon Duck User-Agent"
+    
+    Detects LemonDuck user agent. The format used two sets of alphabetical characters separated by dashes, for example "User-Agent: Lemon-Duck-[A-Z]-[A-Z]".
+    
+    - **Effort:** elementary
+
+??? abstract "Privilege Escalation Awesome Scripts (PEAS)"
+    
+    Detect PEAS privileges escalation scripts and binaries
+    
+    - **Effort:** elementary
+
+??? abstract "ProxyShell Exchange Suspicious Paths"
+    
+    Detects suspicious calls to Exchange resources, in locations related to webshells observed in campaigns using this vulnerability.
+    
+    - **Effort:** elementary
+
+??? abstract "RTLO Character"
+    
+    Detects RTLO (Right-To-Left character) in file and process names.
+    
+    - **Effort:** elementary
+
+??? abstract "SEKOIA.IO Intelligence Feed"
+    
+    Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
+    
+    - **Effort:** elementary
+
+??? abstract "SSH Authorized Key Alteration"
+    
+    The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision
+    
+    - **Effort:** advanced
+
+??? abstract "Suspicious URI Used In A Lazarus Campaign"
+    
+    Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised.
+    
+    - **Effort:** intermediate
+
+??? abstract "WCE wceaux.dll Creation"
+    
+    Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.
+    
+    - **Effort:** intermediate
+
+??? abstract "Webshell Creation"
+    
+    Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.
+    
+    - **Effort:** master
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
index 66982427dd..da430cf747 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
@@ -21,6 +21,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** master
 
+??? abstract "Account Tampering - Suspicious Failed Logon Reasons"
+    
+    This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. Depending on the network environment some failed logons Status can be added to the list.
+    
+    - **Effort:** advanced
+
 ??? abstract "AdFind Usage"
     
     Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory.  Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects 
@@ -45,12 +51,24 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** advanced
 
+??? abstract "Admin User RDP Remote Logon"
+    
+    Detects remote login through Remote Desktop Protocol (RDP) by Administrator user depending on internal pattern. Check before activation the identifiable administrators usernames (pattern or special unique character ("Admin*") to adapt and add some filtering.
+    
+    - **Effort:** master
+
 ??? abstract "Advanced IP Scanner"
     
     Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
     
     - **Effort:** master
 
+??? abstract "Antivirus Relevant File Paths Alerts"
+    
+    Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This is only based on Windows Defender events.
+    
+    - **Effort:** elementary
+
 ??? abstract "Audio Capture via PowerShell"
     
     Detects audio capture via PowerShell Cmdlet
@@ -111,6 +129,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** master
 
+??? abstract "CVE-2019-0708 Scan"
+    
+    Detects the use of a scanner that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep.
+    
+    - **Effort:** elementary
+
 ??? abstract "CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"
     
     Detects suspicious image loads and file creations from the spoolsv process which could be a sign of an attacker trying to exploit the PrintNightmare vulnerability, CVE-2021-34527. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This works as well as a Local Privilege escalation vulnerability. To fully work the rule requires to log for Loaded DLLs and File Creations, which can be done respectively using the Sysmon's event IDs 7 and 11.
@@ -135,6 +159,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** master
 
+??? abstract "Chafer (APT 39) Activity"
+    
+    Detects previous Chafer (APT 39) activity attributed to OilRig as reported in Nyotron report in March 2018.
+    
+    - **Effort:** intermediate
+
 ??? abstract "Change Default File Association"
     
     When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
@@ -171,12 +201,24 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
     
     - **Effort:** advanced
 
+??? abstract "Copy Of Legitimate System32 Executable"
+    
+    A script has copied a System32 executable.
+    
+    - **Effort:** intermediate
+
 ??? abstract "Copying Browser Files With Credentials"
     
     Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files.
@@ -429,6 +471,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** intermediate
 
+??? abstract "FromBase64String Command Line"
+    
+    Detects suspicious FromBase64String expressions in command line arguments
+    
+    - **Effort:** master
+
 ??? abstract "Grabbing Sensitive Hives Via Reg Utility"
     
     Detects dump of SAM, System or Security hives using reg.exe utility. Adversaries may attempt to dump these Windows Registry to retrieve password hashes and access credentials.
@@ -495,6 +543,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** intermediate
 
+??? abstract "Invoke-TheHash Commandlets"
+    
+    Detects suspicious Invoke-TheHash PowerShell commandlet used for performing pass the hash WMI and SMB tasks.
+    
+    - **Effort:** elementary
+
 ??? abstract "KeePass Config XML In Command-Line"
     
     Detects a command-line interaction with the KeePass Config XML file. It could be used to retrieve informations or to be abused for persistence.
@@ -585,6 +639,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** advanced
 
+??? abstract "Malicious PowerShell Keywords"
+    
+    Detects keywords from well-known PowerShell exploitation frameworks
+    
+    - **Effort:** advanced
+
 ??? abstract "MalwareBytes Uninstallation"
     
     Detects command line being used by attackers to uninstall Malwarebytes.
@@ -609,6 +669,18 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** intermediate
 
+??? abstract "Microsoft Defender Antivirus Disable SecurityHealth"
+    
+    The rule detects attempts to deactivate/disable Windows Defender SecurityHealth through command line and registry. To fully use this rule Windows Registry logging is recommended.
+    
+    - **Effort:** intermediate
+
+??? abstract "Microsoft Defender Antivirus Disable Services"
+    
+    The rule detects attempts to deactivate/disable Windows Defender through command line and registry.
+    
+    - **Effort:** intermediate
+
 ??? abstract "Microsoft Defender Antivirus Disable Using Registry"
     
     The rule detects attempts to deactivate/disable Microsoft Defender Antivirus using registry modification via command line.
@@ -681,6 +753,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** intermediate
 
+??? abstract "Msdt (Follina) File Browse Process Execution"
+    
+    Detects various Follina vulnerability exploitation techniques. This is based on the Compatability Troubleshooter which is abused to do code execution.
+    
+    - **Effort:** elementary
+
 ??? abstract "Mshta JavaScript Execution"
     
     Identifies suspicious mshta.exe commands that execute JavaScript supplied as a command line argument.
@@ -759,6 +837,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** advanced
 
+??? abstract "Network Share Discovery"
+    
+    Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. This technique is frequently leveraged by threat actors such as APT32, APT41, Wizard Spider. But also, through the use of some malware such as Cobalt Strike, Empire, PlugX and Ramsay.
+    
+    - **Effort:** master
+
 ??? abstract "Network Sniffing"
     
     List of common tools used for network packages sniffing
@@ -873,6 +957,18 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** elementary
 
+??? abstract "Phosphorus (APT35) Exchange Discovery"
+    
+    According to the Miscosoft's report, the group Phosphorus (part of APT35) uses a specific PowerShell command to collect information about its the environment of compromised Microsoft Exchange servers. The command is the following: Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress |  ft -hidetableheaders
+    
+    - **Effort:** elementary
+
+??? abstract "Phosphorus Domain Controller Discovery"
+    
+    According to the Miscosoft's report, the group Phosphorus (part of APT35) uses a specific PowerShell command to collect information about the Domain Controller. The command is the following: "powershell.exe" /c Get-WMIObject Win32_NTDomain | findstr DomainController
+    
+    - **Effort:** intermediate
+
 ??? abstract "Possible Replay Attack"
     
     This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.
@@ -885,12 +981,30 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** intermediate
 
+??? abstract "PowerShell - NTFS Alternate Data Stream"
+    
+    Detects writing data into NTFS alternate data streams from PowerShell. Needs Script Block Logging (Event ID 4104)
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell AMSI Deactivation Bypass Using .NET Reflection"
     
     Detects Request to amsiInitFailed that can be used to disable AMSI (Antimalware Scan Interface) Scanning. More information about Antimalware Scan Interface https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal.
     
     - **Effort:** elementary
 
+??? abstract "PowerShell Credential Prompt"
+    
+    Detects PowerShell calling a credential prompt (using PromptForCredential) ex: $Credential = $host.ui.PromptForCredential("Need credentials", "Please enter your user name and password.", "", "NetBiosUserName") The same result can be obtained by using the Get-Credential function but detecting it will trigger a lot of FP
+    
+    - **Effort:** elementary
+
+??? abstract "PowerShell Data Compressed"
+    
+    Detects data compression through a PowerShell command (could be used by an adversary for exfiltration)
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Downgrade Attack"
     
     Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
@@ -915,12 +1029,48 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** intermediate
 
+??? abstract "PowerShell Invoke Expression With Registry"
+    
+    Detects keywords from well-known PowerShell techniques to get registry key values
+    
+    - **Effort:** advanced
+
+??? abstract "PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"
+    
+    Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework
+    
+    - **Effort:** advanced
+
 ??? abstract "PowerShell Malicious Nishang PowerShell Commandlets"
     
     Detects Commandlet names and arguments from the Nishang exploitation framework
     
     - **Effort:** advanced
 
+??? abstract "PowerShell Malicious PowerShell Commandlets"
+    
+    Detects Commandlet names from well-known PowerShell exploitation frameworks (PowerSploit...)
+    
+    - **Effort:** master
+
+??? abstract "PowerView commandlets 1"
+    
+    Detects PowerView commandlets which perform network and Windows domain enumeration and exploitation. It provides replaces for almost all Windows net commands, letting you query users, machines, domain controllers, user descriptions, share, sessions, and more.
+    
+    - **Effort:** advanced
+
+??? abstract "PowerView commandlets 2"
+    
+    Detects PowerView commandlets which perform network and Windows domain enumeration and exploitation. It provides replaces for almost all Windows net commands, letting you query users, machines, domain controllers, user descriptions, share, sessions, and more.
+    
+    - **Effort:** advanced
+
+??? abstract "Powershell AMSI Bypass"
+    
+    This rule aims to detect attempts to bypass AMSI in powershell using specific techniques.
+    
+    - **Effort:** advanced
+
 ??? abstract "Powershell UploadString Function"
     
     Powershell's `uploadXXX` functions are a category of methods which can be used to exfiltrate data through native means on a Windows host. 
@@ -933,6 +1083,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** advanced
 
+??? abstract "Powershell Winlogon Helper DLL"
+    
+    Detects modifications to the Winlogon Registry keys, which may cause Winlogon to load and execute malicious DLLs and/or executables.
+    
+    - **Effort:** intermediate
+
 ??? abstract "Process Memory Dump Using Comsvcs"
     
     Detects the use of comsvcs in command line to dump a specific proces memory. This techinique is widlely used by attackers for privilege escalation and pivot.
@@ -1041,6 +1197,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** elementary
 
+??? abstract "Rubeus Register New Logon Process"
+    
+    Detects potential use of Rubeus through registering a new logon process. This rule needs the EventID 4611, which can be configured through Group Policies (Audit Security System Extension)
+    
+    - **Effort:** master
+
 ??? abstract "Rubeus Tool Command-line"
     
     Detects command line parameters used by Rubeus, a toolset to interact with Kerberos and abuse it.
@@ -1077,6 +1239,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** intermediate
 
+??? abstract "SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory"
+    
+    Detects the SeEnableDelegationPrivilege right in Active Directory granted to a user of a computer, it would allow control of other AD user objects
+    
+    - **Effort:** elementary
+
 ??? abstract "Searchindexer Wrong Parent"
     
     Detects if the Search Indexer was executed by a non-legitimate parent process. Search Indexer is the Windows service that handles indexing of your files for Windows Search.
@@ -1137,6 +1305,18 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** elementary
 
+??? abstract "Stop Backup Services"
+    
+    Detects adversaries attempts to stop backups services or disable Windows previous files versions feature. This could be related to ransomware operators or legit administrators. This rule relies Windows command line logging and registry logging, and PowerShell (ID 4103, 4104).
+    
+    - **Effort:** master
+
+??? abstract "Successful Overpass The Hash Attempt"
+    
+    Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
+    
+    - **Effort:** intermediate
+
 ??? abstract "Suncrypt Parameters"
     
     Detects SunCrypt ransomware's parameters, most of which are unique.
@@ -1251,12 +1431,24 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** intermediate
 
+??? abstract "Suspicious PowerShell Invocations - Generic"
+    
+    Detects suspicious PowerShell invocation command parameters through command line logging or ScriptBlock Logging.
+    
+    - **Effort:** intermediate
+
 ??? abstract "Suspicious PowerShell Invocations - Specific"
     
     Detects suspicious PowerShell invocation command parameters
     
     - **Effort:** intermediate
 
+??? abstract "Suspicious PowerShell Keywords"
+    
+    Detects keywords that could indicate the use of some PowerShell exploitation framework
+    
+    - **Effort:** advanced
+
 ??? abstract "Suspicious PrinterPorts Creation (CVE-2020-1048)"
     
     Detects new commands that add new printer port which point to suspicious file
@@ -1305,6 +1497,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** intermediate
 
+??? abstract "Suspicious XOR Encoded PowerShell Command Line"
+    
+    Detects suspicious powershell process which includes bxor command, alternative obfuscation  method to b64 encoded commands.
+    
+    - **Effort:** advanced
+
 ??? abstract "Suspicious certutil command"
     
     Detects suspicious certutil command which can be used by threat actors to download and/or decode payload. 
@@ -1359,6 +1557,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** intermediate
 
+??? abstract "TrustedInstaller Impersonation"
+    
+    The rule detects attempts to impersonate TrustedInstaller. TrustedInstaller rights could allow a threat actor to delete or modify protected file or create/delete/modify files in protected folders. This technique is used by threat actors to disable Windows Defender.
+    
+    - **Effort:** elementary
+
 ??? abstract "UAC Bypass Using Fodhelper"
     
     Detects UAC bypass method using Fodhelper after setting the proper registry key, used in particular by Agent Tesla (RAT) or more recently by Earth Luscas. Prerequisites are logging for Registry events in the Sysmon configuration (events 12 and 13).
@@ -1443,6 +1647,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** intermediate
 
+??? abstract "WMImplant Hack Tool"
+    
+    WMImplant is a powershell framework used by attacker for reconnaissance and exfiltration, this rule attempts to detect WMimplant arguments and invokes commands. 
+    
+    - **Effort:** intermediate
+
 ??? abstract "Webshell Creation"
     
     Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.
@@ -1461,6 +1671,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
     
     - **Effort:** elementary
 
+??? abstract "Windows Defender Deactivation Using PowerShell Script"
+    
+    Detects attempts to deactivate Windows Defender with PowerShell using ScriptBlockLogging.
+    
+    - **Effort:** master
+
 ??? abstract "Windows Firewall Changes"
     
     Detects changes on Windows Firewall configuration
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.md
index baabbb0ec0..457f932226 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ## Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **OGO WAF [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **OGO WAF**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x OGO WAF [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x OGO WAF on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
     
     Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner)
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.md
index 2b8aeeaae6..dd4edc3d05 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.md
@@ -117,6 +117,12 @@ The following Sekoia.io built-in rules match the intake **AWS CloudTrail**. This
     
     - **Effort:** elementary
 
+??? abstract "AWS CloudTrail Root ConsoleLogin"
+    
+    Detects a login with a root account on AWS portal. It is a best practice to avoid root account usage for daily tasks and to create an IAM admin user.
+    
+    - **Effort:** intermediate
+
 ??? abstract "AWS CloudTrail Route 53 Domain Transfer Attempt"
     
     Detects when a request in success or failure is made to transfer a domain name to an other AWS account
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
index 200aaa1462..b97e8aeaec 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
@@ -129,6 +129,12 @@ The following Sekoia.io built-in rules match the intake **IBM AIX**. This docume
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md
index 59794cc04e..96a49d78ac 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md
@@ -1,8 +1,8 @@
 ## Related Built-in Rules
 
-The following Sekoia.io built-in rules match the intake **SonicWall Firewall [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
+The following Sekoia.io built-in rules match the intake **SonicWall Firewall**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
-[SEKOIA.IO x SonicWall Firewall [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json){ .md-button }
+[SEKOIA.IO x SonicWall Firewall on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json){ .md-button }
 ??? abstract "AdFind Usage"
     
     Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory.  Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects 
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
index 3571b13bed..620d1baaee 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
@@ -177,6 +177,12 @@ The following Sekoia.io built-in rules match the intake **StormShield SES [BETA]
     
     - **Effort:** intermediate
 
+??? abstract "Container Credential Access"
+    
+    Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token
+    
+    - **Effort:** intermediate
+
 ??? abstract "Control Panel Items"
     
     Detects the malicious use of a control panel item
diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
index c37480fcf8..5e600780f7 100644
--- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md
+++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
@@ -1,6 +1,6 @@
 # Built-in detection rules, EventIDs and EventProviders relations
 SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture.
-This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2023-10-24_
+This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2023-11-02_
 
 The colors of the EventIDs in this page should be interpreted as follow:
 
@@ -12,519 +12,511 @@ The colors of the EventIDs in this page should be interpreted as follow:
 ## Rules x Effort Level x EventIDs x Event Providers
 | Rule Name | Effort Level | EventIDs | Event Providers |
 | --------- | ------------ | -------- | --------------- |
+| WMI DLL Loaded Via Office | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| WMIC Loading Scripting Libraries | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| xWizard Execution | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| User Couldn't Call A Privileged Service LsaRegisterLogonProcess | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673' style='color: inherit;'>4673</a></span> | Microsoft-Windows-Security-Auditing |
 | Microsoft 365 (Office 365) MCAS New Country | master | 98 |  |
+| FoggyWeb Backdoor DLL Loading | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Registry Checked For Lanmanserver DisableCompression Parameter | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
+| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Windows Firewall Changes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Cobalt Strike Named Pipes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
-| SCM Database Privileged Operation | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674' style='color: inherit;'>4674</a></span> | Microsoft-Windows-Security-Auditing |
+| TOR Usage Generic Rule | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
 | Disable Security Events Logging Adding Reg Key MiniNt | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Account Removed From A Security Enabled Group | master | <span style="color:#D89462">4729</span> | Microsoft-Windows-Security-Auditing |
+| Execution From Suspicious Folder | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| SCM Database Privileged Operation | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674' style='color: inherit;'>4674</a></span> | Microsoft-Windows-Security-Auditing |
+| Network Share Discovery | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Suspicious PsExec Execution | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Process Herpaderping | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>25</a></span> | Microsoft-Windows-Sysmon |
+| Protected Storage Service Access | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Microsoft 365 Device Code Authentication | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> |  |
+| Microsoft Defender Antivirus Exclusion Configuration | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5007</a></span> | Microsoft-Windows-Sysmon, Microsoft-Windows-Windows Defender |
+| AD User Enumeration | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
+| Microsoft Defender Antivirus History Deleted | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1013</a></span> | Microsoft-Windows-Windows Defender |
 | Netsh Port Opening | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Malicious PowerShell Commandlets | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Microsoft 365 (Office 365) Potential Ransomware Activity Detected | master | 40 |  |
+| File Or Folder Permissions Modifications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Stop Backup Services | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Potential RDP Connection To Non-Domain Host | master | <span style="color:#B60016">8001</span> | Microsoft-Windows-NTLM |
+| Svchost DLL Search Order Hijack | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Remote Registry Management Using Reg Utility | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| AD Privileged Users Or Groups Reconnaissance | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661' style='color: inherit;'>4661</a></span> | Microsoft-Windows-Security-Auditing |
+| Usage Of Sysinternals Tools | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Cobalt Strike Named Pipes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
+| FromBase64String Command Line | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| DNS Server Error Failed Loading The ServerLevelPluginDLL | master | 150, 770, 771 | Microsoft-Windows-DNS-Server-Service |
+| Admin Share Access | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140' style='color: inherit;'>5140</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| List Shadow Copies | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Microsoft 365 (Office 365) MCAS Repeated Failed Login | master | 98 |  |
+| Malware Persistence Registry Key | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| LSASS Memory Dump | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
 | Net.exe User Account Creation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Registry Checked For Lanmanserver DisableCompression Parameter | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft Defender Antivirus History Deleted | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1013</a></span> | Microsoft-Windows-Windows Defender |
-| Putty Sessions Listing | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
+| Rubeus Register New Logon Process | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611' style='color: inherit;'>4611</a></span> | Microsoft-Windows-Security-Auditing |
 | User Account Created | master | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
-| Account Added To A Security Enabled Group | master | <span style="color:#D89462">4728</span> | Microsoft-Windows-Security-Auditing |
-| FromBase64String Command Line | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| User Account Deleted | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743' style='color: inherit;'>4743</a></span> | Microsoft-Windows-Security-Auditing |
-| SCM Database Handle Failure | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
+| Abusing Azure Browser SSO | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Microsoft Defender Antivirus Exclusion Command | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Privileged AD Builtin Group Modified | master | <span style="color:#D89462">4727</span>, <span style="color:#D89462">4728</span>, <span style="color:#D89462">4729</span>, <span style="color:#D89462">4730</span>, <span style="color:#D89462">4754</span>, <span style="color:#D89462">4756</span>, <span style="color:#D89462">4757</span>, <span style="color:#D89462">4758</span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4764' style='color: inherit;'>4764</a></span> | Microsoft-Windows-Security-Auditing |
+| Putty Sessions Listing | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
 | Microsoft 365 (Office 365) MCAS Risky IP | master | 98 |  |
 | Admin User RDP Remote Logon | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| WMIC Loading Scripting Libraries | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Access To Sensitive File Extensions | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft 365 (Office 365) MCAS Inbox Hiding | master | 98 |  |
-| TOR Usage Generic Rule | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
+| Sysmon Windows File Block Executable | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>27</a></span> | Microsoft-Windows-Sysmon |
+| User Account Deleted | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743' style='color: inherit;'>4743</a></span> | Microsoft-Windows-Security-Auditing |
+| Microsoft 365 (Office 365) MCAS Detection Velocity | master | 98 |  |
 | LSASS Access From Non System Account | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
-| Rubeus Register New Logon Process | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611' style='color: inherit;'>4611</a></span> | Microsoft-Windows-Security-Auditing |
 | Narrator Feedback-Hub Persistence | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Potential RDP Connection To Non-Domain Host | master | <span style="color:#B60016">8001</span> | Microsoft-Windows-NTLM |
-| Microsoft 365 (Office 365) MCAS Detection Velocity | master | 98 |  |
-| DNS Server Error Failed Loading The ServerLevelPluginDLL | master | 150, 770, 771 | Microsoft-Windows-DNS-Server-Service |
-| Remote Registry Management Using Reg Utility | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Advanced IP Scanner | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Windows Registry Persistence COM Key Linking | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Failed Logon Source From Public IP Addresses | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
 | Webshell Creation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Sysmon |
-| Sysmon Windows File Block Executable | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>27</a></span> | Microsoft-Windows-Sysmon |
-| Autorun Keys Modification | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious PsExec Execution | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Network Share Discovery | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| CVE-2017-11882 Microsoft Office Equation Editor Vulnerability | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
-| FoggyWeb Backdoor DLL Loading | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Process Hollowing Detection | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>25</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Malicious PowerShell Commandlets | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Microsoft Defender Antivirus Disable Using Registry | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| LSASS Memory Dump | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| Privileged AD Builtin Group Modified | master | <span style="color:#D89462">4727</span>, <span style="color:#D89462">4728</span>, <span style="color:#D89462">4729</span>, <span style="color:#D89462">4730</span>, <span style="color:#D89462">4754</span>, <span style="color:#D89462">4756</span>, <span style="color:#D89462">4757</span>, <span style="color:#D89462">4758</span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4764' style='color: inherit;'>4764</a></span> | Microsoft-Windows-Security-Auditing |
-| xWizard Execution | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| List Shadow Copies | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Microsoft Defender Antivirus Configuration Changed | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5007</a></span> | Microsoft-Windows-Windows Defender |
-| In-memory PowerShell | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Abusing Azure Browser SSO | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| File Or Folder Permissions Modifications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Protected Storage Service Access | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| AD Privileged Users Or Groups Reconnaissance | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661' style='color: inherit;'>4661</a></span> | Microsoft-Windows-Security-Auditing |
-| Execution From Suspicious Folder | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | DNS ServerLevelPluginDll Installation | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Microsoft Defender Antivirus Exclusion Command | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Malware Persistence Registry Key | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 Device Code Authentication | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> |  |
-| Microsoft Defender Antivirus Exclusion Configuration | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5007</a></span> | Microsoft-Windows-Sysmon, Microsoft-Windows-Windows Defender |
-| Suspicious New Printer Ports In Registry | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Process Herpaderping | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>25</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) MCAS Repeated Failed Login | master | 98 |  |
-| CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) MCAS Repeated Delete | master | 98 |  |
-| Usage Of Sysinternals Tools | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious DLL Loaded Via Office Applications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| AD User Enumeration | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Stop Backup Services | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Credential Dumping-Tools Common Named Pipes | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Disable Using Registry | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
 | Windows Defender Deactivation Using PowerShell Script | master | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Microsoft 365 (Office 365) Potential Ransomware Activity Detected | master | 40 |  |
+| Advanced IP Scanner | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 (Office 365) MCAS Inbox Hiding | master | 98 |  |
+| Microsoft Defender Antivirus Configuration Changed | master | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5007</a></span> | Microsoft-Windows-Windows Defender |
+| Microsoft 365 (Office 365) MCAS Repeated Delete | master | 98 |  |
 | Microsoft Office Creating Suspicious File | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Failed Logon Source From Public IP Addresses | master | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
-| WMI DLL Loaded Via Office | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| User Couldn't Call A Privileged Service LsaRegisterLogonProcess | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673' style='color: inherit;'>4673</a></span> | Microsoft-Windows-Security-Auditing |
-| Admin Share Access | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140' style='color: inherit;'>5140</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Svchost DLL Search Order Hijack | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Data Compressed With Rar | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Legitimate Process Execution From Unusual Folder | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Sysmon |
-| XCopy Suspicious Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| WMI Persistence Script Event Consumer File Write | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Malicious Nishang PowerShell Commandlets | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Telegram Bot API Request | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell EncodedCommand | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| New Service Creation | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| PowerShell - NTFS Alternate Data Stream | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Suspicious PowerShell Keywords | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Netsh Allow Command | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Exploit For CVE-2017-0261 Or CVE-2017-0262 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Remote Service Activity Via SVCCTL Named Pipe | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| WMI Event Subscription | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>19</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>20</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>21</a></span> | Microsoft-Windows-Sysmon |
-| Webshell Execution W3WP Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Rare Logonui Child Found | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Dynwrapx Module Loading | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Domain Trust Created Or Removed | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706' style='color: inherit;'>4706</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707' style='color: inherit;'>4707</a></span> | Microsoft-Windows-Security-Auditing |
+| In-memory PowerShell | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Windows Registry Persistence COM Key Linking | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious DLL Loaded Via Office Applications | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| SCM Database Handle Failure | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious New Printer Ports In Registry | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Account Removed From A Security Enabled Group | master | <span style="color:#D89462">4729</span> | Microsoft-Windows-Security-Auditing |
+| Account Added To A Security Enabled Group | master | <span style="color:#D89462">4728</span> | Microsoft-Windows-Security-Auditing |
+| CVE-2017-11882 Microsoft Office Equation Editor Vulnerability | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
+| Autorun Keys Modification | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span> | Microsoft-Windows-Sysmon |
+| Process Hollowing Detection | master | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>25</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Access To Sensitive File Extensions | master | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Lateral Movement - Remote Named Pipe | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious PrinterPorts Creation (CVE-2020-1048) | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
 | Winlogon wrong parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Microsoft Defender Antivirus Tampering Detected | advanced | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1127</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>2013</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5001</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5010</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5012</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>5101</a></span> | Microsoft-Windows-Windows Defender |
-| PsExec Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Sysmon, Service Control Manager |
-| External Disk Drive Or USB Storage Device | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416' style='color: inherit;'>6416</a></span> | Microsoft-Windows-Security-Auditing |
-| Adexplorer Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Rclone Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious ADSI-Cache Usage By Unknown Tool | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Powershell AMSI Bypass | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| AccCheckConsole Executing Dll | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Python Opening Ports | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5154' style='color: inherit;'>5154</a></span> | Microsoft-Windows-Security-Auditing |
-| Mimikatz LSASS Memory Access | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| RDP Sensitive Settings Changed | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| CreateRemoteThread Common Process Injection | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span> | Microsoft-Windows-Sysmon |
+| Exfiltration And Tunneling Tools Execution | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Csrss Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Cmd.exe Command Line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious PROCEXP152.sys File Created In Tmp | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
 | Alternate PowerShell Hosts Pipe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
-| Active Directory Replication from Non Machine Account | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Taskhost or Taskhostw Suspicious Child Found | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Rubeus Tool Command-line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Cmd.exe Used To Run Reconnaissance Commands | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Malicious PowerShell Keywords | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Account Tampering - Suspicious Failed Logon Reasons | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776' style='color: inherit;'>4776</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft Office Product Spawning Windows Shell | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Invoke-Obfuscation Obfuscated IEX Invocation | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Suspicious PrinterPorts Creation (CVE-2020-1048) | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| Change Default File Association | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Powershell Web Request | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Domain Trust Created Or Removed | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706' style='color: inherit;'>4706</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707' style='color: inherit;'>4707</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious XOR Encoded PowerShell Command Line | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| ACLight Discovering Privileged Accounts | advanced | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
+| Windows Registry Persistence COM Search Order Hijacking | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Disabled IE Security Features | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Exploit For CVE-2017-0261 Or CVE-2017-0262 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| SAM Registry Hive Handle Request | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
+| Dynwrapx Module Loading | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious desktop.ini Action | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
 | AutoIt3 Execution From Suspicious Folder | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| RDP Session Discovery | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Outbound Kerberos Connection | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156' style='color: inherit;'>5156</a></span> | Microsoft-Windows-Security-Auditing |
+| PowerShell Data Compressed | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Rubeus Tool Command-line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Rare Logonui Child Found | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Legitimate Process Execution From Unusual Folder | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Sysmon |
+| Active Directory Replication from Non Machine Account | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
+| Webshell Execution W3WP Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Adexplorer Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Change Default File Association | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Control Panel Items | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Default Encoding To UTF-8 PowerShell | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Cmd.exe Command Line | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Office Product Spawning Windows Shell | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Python Opening Ports | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5154' style='color: inherit;'>5154</a></span> | Microsoft-Windows-Security-Auditing |
 | Logon Scripts (UserInitMprLogonScript) | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious XOR Encoded PowerShell Command Line | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| PowerView commandlets 2 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Suspicious Outbound Kerberos Connection | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156' style='color: inherit;'>5156</a></span> | Microsoft-Windows-Security-Auditing |
-| Metasploit PSExec Service Creation | advanced | <span style="color:#B60016">7045</span> | Service Control Manager |
+| PsExec Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Sysmon, Service Control Manager |
+| Telegram Bot API Request | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Microsoft-Windows-Sysmon |
+| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Account Tampering - Suspicious Failed Logon Reasons | advanced | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776' style='color: inherit;'>4776</a></span> | Microsoft-Windows-Security-Auditing |
+| External Disk Drive Or USB Storage Device | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416' style='color: inherit;'>6416</a></span> | Microsoft-Windows-Security-Auditing |
+| Mimikatz LSASS Memory Access | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious ADSI-Cache Usage By Unknown Tool | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
 | Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically | advanced | 64 |  |
-| Suspicious desktop.ini Action | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
-| Powershell Web Request | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell EncodedCommand | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| AccCheckConsole Executing Dll | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| WMI Persistence Script Event Consumer File Write | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Active Directory Replication User Backdoor | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| WMI Event Subscription | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>19</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>20</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>21</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Control Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Unsigned Image Loaded Into LSASS Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Winword wrong parent | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
-| Exfiltration And Tunneling Tools Execution | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Data Compressed | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Svchost Wrong Parent | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
 | Hiding Files With Attrib.exe | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious Windows DNS Queries | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Microsoft-Windows-Sysmon |
-| Svchost Wrong Parent | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
-| Csrss Wrong Parent | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Active Directory Replication User Backdoor | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| PowerView commandlets 1 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Lateral Movement - Remote Named Pipe | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Control Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| RDP Session Discovery | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Disabled IE Security Features | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Remote Privileged Group Enumeration | advanced | 4799 | Microsoft-Windows-Security-Auditing |
-| ACLight Discovering Privileged Accounts | advanced | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
-| CreateRemoteThread Common Process Injection | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span> | Microsoft-Windows-Sysmon |
-| NTDS.dit File In Suspicious Directory | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious PROCEXP152.sys File Created In Tmp | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| SAM Registry Hive Handle Request | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
+| Metasploit PSExec Service Creation | advanced | <span style="color:#B60016">7045</span> | Service Control Manager |
+| New Service Creation | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
 | Domain Group And Permission Enumeration | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Windows Registry Persistence COM Search Order Hijacking | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Creation or Modification of a GPO Scheduled Task | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious LDAP-Attributes Used | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| Possible RottenPotato Attack | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| DLL Load via LSASS Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious certutil command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| NjRat Registry Changes | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Powershell UploadString Function | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Smss Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Clear EventLogs Through CommandLine | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious PowerShell Invocations - Generic | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Gpscript Suspicious Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Mshta Execution From Wmi | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Exchange Server Creating Unusual Files | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Ngrok Process Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerCat Function Loading | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Credential Dumping Tools Service Execution | intermediate | <span style="color:#B60016">7045</span> | Service Control Manager |
-| Qakbot Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Commonly Used Commands To Stop Services And Remove Backups | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| ETW Tampering | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Lsass Access Through WinRM | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| Backup Catalog Deleted | intermediate | 524 | Microsoft-Windows-Backup |
-| STRRAT Scheduled Task | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| XSL Script Processing And SquiblyTwo Attack | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Chafer (APT 39) Activity | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Service Control Manager |
-| WMImplant Hack Tool | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Wmic Process Call Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Malicious Named Pipe | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
-| NetSh Used To Disable Windows Firewall | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Network Connection Via Certutil | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
+| Powershell AMSI Bypass | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Winword wrong parent | advanced | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
+| Taskhost or Taskhostw Suspicious Child Found | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Default Encoding To UTF-8 PowerShell | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell - NTFS Alternate Data Stream | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| PowerView commandlets 2 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Malicious PowerShell Keywords | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| PowerShell Invoke-Obfuscation Obfuscated IEX Invocation | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Netsh Allow Command | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Rclone Process | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| XCopy Suspicious Usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| NTDS.dit File In Suspicious Directory | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| RDP Sensitive Settings Changed | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Malicious Nishang PowerShell Commandlets | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Remote Service Activity Via SVCCTL Named Pipe | advanced | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious PowerShell Keywords | advanced | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| PowerView commandlets 1 | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Remote Privileged Group Enumeration | advanced | 4799 |  |
+| Exfiltration Domain In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Powershell Winlogon Helper DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Suspicious DNS Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Disable Windows Defender Credential Guard | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| NetNTLM Downgrade Attack | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657' style='color: inherit;'>4657</a></span> | Microsoft-Windows-Sysmon |
+| WMImplant Hack Tool | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| DCSync Attack | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious DLL side loading from ProgramData | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Scripting In A WMI Consumer | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>20</a></span> | Microsoft-Windows-Sysmon |
+| CertOC Loading Dll | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Chafer (APT 39) Activity | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Service Control Manager |
+| Credential Dumping Tools Service Execution | intermediate | <span style="color:#B60016">7045</span> | Service Control Manager |
+| Lsass Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Hostname | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
+| Suspicious Windows Script Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Denied Access To Remote Desktop | intermediate | 4825 | Microsoft-Windows-Security-Auditing |
+| High Privileges Network Share Removal | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Data Compressed With Rar With Password | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
 | Python HTTP Server | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Outlook Child Process | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
-| Active Directory Delegate To KRBTGT Service | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738' style='color: inherit;'>4738</a></span> | Microsoft-Windows-Security-Auditing |
-| Wsmprovhost Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Eventlog Cleared | intermediate | 517, <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102' style='color: inherit;'>1102</a> | Microsoft-Windows-Eventlog |
-| Microsoft Defender Antivirus Disable Scheduled Tasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Impacket Secretsdump.py Tool | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Pandemic Windows Implant | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| DHCP Server Error Failed Loading the CallOut DLL | intermediate | 1031, 1032, 1034 | Microsoft-Windows-DHCP-Server |
+| Backup Catalog Deleted | intermediate | 524 | Microsoft-Windows-Backup |
+| Taskhostw Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| XSL Script Processing And SquiblyTwo Attack | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Explorer Process Executing HTA File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Mshta Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Exchange Server Spawning Suspicious Processes | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Exchange Mailbox Export | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Suspicious Finger Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| TUN/TAP Driver Installation | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
-| RDP Port Change Using Powershell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| PowerShell Download From URL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) Malware Uploaded On SharePoint | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span> |  |
-| Remote Task Creation Via ATSVC Named Pipe | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Network Args In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
-| Phosphorus Domain Controller Discovery | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| NetNTLM Downgrade Attack | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657' style='color: inherit;'>4657</a></span> | Microsoft-Windows-Sysmon |
+| Winrshost Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Smss Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 (Office 365) Malware Uploaded On OneDrive | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span> |  |
+| MS Office Product Spawning Exe in User Dir | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | SquirrelWaffle Malspam Execution Loading DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Wmic Service Call | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Desktopimgdownldr Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Exploiting SetupComplete.cmd CVE-2019-1378 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Rundll32.exe Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
 | LSASS Memory Dump File Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| DHCP Callout DLL Installation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Exfiltration Domain In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Windows Script Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| QakBot Process Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Rare Lsass Child Found | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| NlTest Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| StoneDrill Service Install | intermediate | <span style="color:#B60016">7045</span> | Service Control Manager |
-| Trickbot Malware Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Netsh Program Allowed With Suspicious Location | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Mshta Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Password Dumper Activity On LSASS | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft Defender Antivirus Threat Detected | intermediate | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1006</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1007</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1008</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1015</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1117</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1118</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1119</a></span>, 1125, 1126 | Microsoft-Windows-Windows Defender |
+| Remote Enumeration of Lateral Movement Groups | intermediate | 4799 | Microsoft-Windows-Security-Auditing |
+| Csrss Child Found | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Remote Task Creation Via ATSVC Named Pipe | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Wininit Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Commonly Used Commands To Stop Services And Remove Backups | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| NTDS.dit File Interaction Through Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| New Or Renamed User Account With '$' In Attribute 'SamAccountName' | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious Cmd File Copy Command To Network Share | intermediate | 30 | Microsoft-Windows-Kernel-File |
+| Suspicious DLL Loading By Ordinal | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Possible Replay Attack | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649' style='color: inherit;'>4649</a></span> | Microsoft-Windows-Security-Auditing |
+| STRRAT Scheduled Task | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Powershell UploadString Function | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Possible RottenPotato Attack | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
+| Suspicious Process Requiring DLL Starts Without DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| MMC20 Lateral Movement | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| WMIC Uninstall Product | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Rundll32.exe Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action | intermediate | 64 |  |
+| GPO Executable Delivery | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Schtasks Suspicious Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| DC Shadow via Service Principal Name (SPN) creation | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742' style='color: inherit;'>4742</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Suspicious Finger Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Successful Overpass The Hash Attempt | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
+| NjRat Registry Changes | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| DPAPI Domain Backup Key Extraction | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
+| Lsass Access Through WinRM | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| DNS Exfiltration and Tunneling Tools Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Searchindexer Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Bloodhound and Sharphound Tools Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Exchange Server Creating Unusual Files | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Restoration Abuse | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Wmic Service Call | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspect Svchost Memory Access | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Disable SecurityHealth | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Phosphorus Domain Controller Discovery | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| PowerShell Download From URL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
 | SOCKS Tunneling Tool | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Windows Installer Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| WCE wceaux.dll Creation | intermediate | 30 | Microsoft-Windows-Kernel-File |
 | Userinit Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Spoolsv Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| MSBuild Abuse | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
-| MMC Spawning Windows Shell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| SolarWinds Suspicious File Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Formbook Hijacked Process Command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Schtasks Suspicious Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Inhibit System Recovery Deleting Backups | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Sliver DNS Beaconing | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Microsoft-Windows-Sysmon |
-| Winrshost Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Password Change On Directory Service Restore Mode (DSRM) Account | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794' style='color: inherit;'>4794</a></span> | Microsoft-Windows-Security-Auditing |
-| Formbook File Creation DB1 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious DLL side loading from ProgramData | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| New DLL Added To AppCertDlls Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Commands From MS SQL Server Shell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Capture a network trace with netsh.exe | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Audio Capture via PowerShell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Ryuk Ransomware Persistence Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| NlTest Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| OceanLotus Registry Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Netsh Allowed Python Program | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Netsh Program Allowed With Suspicious Location | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Searchprotocolhost Child Found | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Non-Legitimate Executable Using AcceptEula Parameter | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Kernel-Process |
-| Suspicious PowerShell Invocations - Specific | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| IIS Module Installation Using AppCmd | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 Email Forwarding To Email Address With Rare TLD | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
+| Pandemic Windows Implant | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Wmiprvse Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| COM Hijack Via Sdclt | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| DHCP Server Error Failed Loading the CallOut DLL | intermediate | 1031, 1032, 1033, 1034 | Microsoft-Windows-DHCP-Server |
+| Spoolsv Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Gpscript Suspicious Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Creation or Modification of a GPO Scheduled Task | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| DHCP Callout DLL Installation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Regsvr32 Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| StoneDrill Service Install | intermediate | <span style="color:#B60016">7045</span> | Service Control Manager |
+| Suspicious Outlook Child Process | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
+| Password Dumper Activity On LSASS | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span> | Microsoft-Windows-Security-Auditing |
+| Microsoft 365 (Office 365) AtpDetection | intermediate | 47 |  |
+| Microsoft Defender Antivirus Disable Services | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Detection of default Mimikatz banner | intermediate | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
+| SolarWinds Wrong Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious PowerShell Invocations - Generic | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | CMSTP Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Netsh RDP Port Opening | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| KeePass Config XML In Command-Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| OceanLotus Registry Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| OneNote Embedded File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| UAC Bypass Using Fodhelper | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | WMIC Command To Determine The Antivirus | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Searchindexer Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Csrss Child Found | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Usage Of Procdump With Common Arguments | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Active Directory User Backdoors | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| Venom Multi-hop Proxy agent detection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Logonui Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| GPO Executable Delivery | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft 365 Email Forwarding To Email Address With Rare TLD | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
-| MMC20 Lateral Movement | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | HackTools Suspicious Process Names In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
+| Password Change On Directory Service Restore Mode (DSRM) Account | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794' style='color: inherit;'>4794</a></span> | Microsoft-Windows-Security-Auditing |
 | MOFComp Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Scripting In A WMI Consumer | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>20</a></span> | Microsoft-Windows-Sysmon |
-| Lsass Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Denied Access To Remote Desktop | intermediate | 4825 | Microsoft-Windows-Security-Auditing |
-| CMSTP UAC Bypass via COM Object Access | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| COM Hijack Via Sdclt | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Process Requiring DLL Starts Without DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Bloodhound and Sharphound Tools Usage | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Registry Key Used By Some Old Agent Tesla Samples | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Successful Overpass The Hash Attempt | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| High Privileges Network Share Removal | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| DHCP Server Loaded the CallOut DLL | intermediate | 1033 | Microsoft-Windows-DHCP-Server |
-| Sysprep On AppData Folder | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Cred Dump Tools Dropped Files | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| DPAPI Domain Backup Key Extraction | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Mshta Suspicious Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Netsh RDP Port Opening | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Scheduled Task Creation | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
+| Active Directory User Backdoors | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Venom Multi-hop Proxy agent detection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Suspicious SAM Dump | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>16</a></span> | Microsoft-Windows-Kernel-General |
+| Suspicious Windows Installer Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Taskkill Command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Inhibit System Recovery Deleting Backups | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
 | Suspicious Driver Loaded | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| New DLL Added To AppCertDlls Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Transfering Files With Credential Data Via Network Shares | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| OneNote Embedded File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| Eventlog Cleared | intermediate | 517, <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102' style='color: inherit;'>1102</a> | Microsoft-Windows-Eventlog |
+| Usage Of Procdump With Common Arguments | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Grabbing Sensitive Hives Via Reg Utility | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| MS Office Product Spawning Exe in User Dir | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Explorer Process Executing HTA File | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Wininit Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| WCE wceaux.dll Creation | intermediate | 30 | Microsoft-Windows-Kernel-File |
-| Werfault DLL Injection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Mshta Suspicious Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| Non-Legitimate Executable Using AcceptEula Parameter | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process, Microsoft-Windows-Kernel-Process |
+| Trickbot Malware Activity | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Taskhost Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious certutil command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Microsoft Office Spawning Script | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) AtpDetection | intermediate | 47 |  |
-| Suspicious Hostname | intermediate | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| Ryuk Ransomware Persistence Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Audio Capture via PowerShell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Copy Of Legitimate System32 Executable | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| NTDS.dit File Interaction Through Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Sliver DNS Beaconing | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>22</a></span> | Microsoft-Windows-Sysmon |
+| RDP Port Change Using Powershell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Disable .NET ETW Through COMPlus_ETWEnabled | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Registry Key Used By Some Old Agent Tesla Samples | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Hijack Legit RDP Session To Move Laterally | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Impacket Secretsdump.py Tool | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
+| MMC Spawning Windows Shell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| MalwareBytes Uninstallation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Malicious Named Pipe | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
+| Active Directory Delegate To KRBTGT Service | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738' style='color: inherit;'>4738</a></span> | Microsoft-Windows-Security-Auditing |
+| Werfault DLL Injection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Wmic Process Call Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| MSBuild Abuse | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
+| Qakbot Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Secure Deletion With SDelete | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658' style='color: inherit;'>4658</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
+| KeePass Config XML In Command-Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
 | User Added to Local Administrators | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732' style='color: inherit;'>4732</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Taskkill Command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious DNS Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| CMSTP UAC Bypass via COM Object Access | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Sysprep On AppData Folder | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| NetSh Used To Disable Windows Firewall | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious LDAP-Attributes Used | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| Network Connection Via Certutil | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>3</a></span> | Microsoft-Windows-Sysmon |
 | MavInject Process Injection | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Wmiprvse Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Secure Deletion With SDelete | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658' style='color: inherit;'>4658</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Commands From MS SQL Server Shell | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| WMIC Uninstall Product | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Disable .NET ETW Through COMPlus_ETWEnabled | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| CertOC Loading Dll | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Exchange Server Spawning Suspicious Processes | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | BazarLoader Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Possible Replay Attack | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649' style='color: inherit;'>4649</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Regsvr32 Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| MalwareBytes Uninstallation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| DNS Exfiltration and Tunneling Tools Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Restoration Abuse | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Koadic Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Taskhost Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Data Compressed With Rar With Password | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| DCSync Attack | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Spyware Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| UAC Bypass Using Fodhelper | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Disable SecurityHealth | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Hijack Legit RDP Session To Move Laterally | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| New Or Renamed User Account With '$' In Attribute 'SamAccountName' | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
-| Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action | intermediate | 64 |  |
-| Suspicious Cmd File Copy Command To Network Share | intermediate | 30 | Microsoft-Windows-Kernel-File |
-| SolarWinds Wrong Child Process | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| DC Shadow via Service Principal Name (SPN) creation | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742' style='color: inherit;'>4742</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious SAM Dump | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>16</a></span> | Microsoft-Windows-Kernel-General |
-| Microsoft Defender Antivirus Disable Services | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Disable Scheduled Tasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Suspicious Network Args In Command Line | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process, Microsoft-Windows-Sysmon |
+| Copy Of Legitimate System32 Executable | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Network Sniffing Windows | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 Email Forwarding To Consumer Email Address | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
+| IIS Module Installation Using AppCmd | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Logonui Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Searchprotocolhost Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Cred Dump Tools Dropped Files | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Cmdkey Cached Credentials Recon | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Clear EventLogs Through CommandLine | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | PowerShell Execution Via Rundll32 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Network Sniffing Windows | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Scheduled Task Creation | intermediate | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-Windows-Security-Auditing |
-| Transfering Files With Credential Data Via Network Shares | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145' style='color: inherit;'>5145</a></span> | Microsoft-Windows-Security-Auditing |
-| Netsh Allowed Python Program | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious Desktopimgdownldr Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Detection of default Mimikatz banner | intermediate | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
-| Disable Windows Defender Credential Guard | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Taskhostw Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Ngrok Process Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Rare Lsass Child Found | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 (Office 365) Malware Uploaded On SharePoint | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span> |  |
+| Formbook File Creation DB1 | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Spyware Persistence Using Schtasks | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| QakBot Process Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Formbook Hijacked Process Command | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious PowerShell Invocations - Specific | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| DLL Load via LSASS Registry Key | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>12</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Wsmprovhost Wrong Parent | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerCat Function Loading | intermediate | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
 | Microsoft Malware Protection Engine Crash | intermediate | 1000 | Application Error |
-| Cmdkey Cached Credentials Recon | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious DLL Loading By Ordinal | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Powershell Winlogon Helper DLL | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Suspect Svchost Memory Access | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) Malware Uploaded On OneDrive | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span> |  |
-| Capture a network trace with netsh.exe | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 Email Forwarding To Consumer Email Address | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
-| Active Directory Database Dump Via Ntdsutil | elementary | 325 | ESENT |
-| WMI Persistence Command Line Event Consumer | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
-| Suspicious VBS Execution Parameter | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| OneNote Suspicious Children Process | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
-| AD Object WriteDAC Access | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
-| Outlook Registry Access | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Elise Backdoor | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Antivirus Password Dumper Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
-| Suspicious HWP Child Process | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Signatures Removed With MpCmdRun | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Copying Sensitive Files With Credential Data | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| ICacls Granting Access To All | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Windows Credential Editor Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| CVE-2019-0708 Scan | elementary | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
-| Antivirus Exploitation Framework Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
-| Windows Update LolBins | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 Sign-in With No User Agent | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> |  |
-| PasswordDump SecurityXploded Tool | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Cobalt Strike Default Beacons Names | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Mshta Execution From Wmi | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| ETW Tampering | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| TUN/TAP Driver Installation | intermediate | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
+| SolarWinds Suspicious File Creation | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Threat Detected | intermediate | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1006</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1007</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1008</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1015</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1117</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1118</a></span>, <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1119</a></span>, 1125, 1126 | Microsoft-Windows-Windows Defender |
+| DHCP Server Loaded the CallOut DLL | intermediate | 1033 |  |
+| Phorpiex DriveMgr Command | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| FlowCloud Malware | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Explorer Wrong Parent | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Ursnif Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Cobalt Strike Default Service Creation Usage | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Service Control Manager |
-| Suspicious Headless Web Browser Execution To Download File | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| RedMimicry Winnti Playbook Dropped File | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| RYUK Ransomeware - martinstevens Username | elementary | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
-| Phosphorus (APT35) Exchange Discovery | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Microsoft Office Startup Add-In | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Ryuk Ransomware Command Line | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Process Memory Dump Using Comsvcs | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| AdFind Usage | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| RTLO Character | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
-| Exploited CVE-2020-10189 Zoho ManageEngine | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Netsh RDP Port Forwarding | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| DNS Tunnel Technique From MuddyWater | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Office Application Startup Office Test | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Invoke-TheHash Commandlets | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Mustang Panda Dropper | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| RDP Login From Localhost | elementary | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
-| Copying Browser Files With Credentials | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft Entra ID (Azure AD) Domain Trust Modification | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span> |  |
-| Empire Monkey Activity | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Credential Dumping By LaZagne | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
-| WiFi Credentials Harvesting Using Netsh | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell Credential Prompt | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| IcedID Execution Using Excel | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Microsoft 365 Email Forwarding To Privacy Email Address | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
-| Mimikatz Basic Commands | elementary | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
-| Dumpert LSASS Process Dumper | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| APT29 Fake Google Update Service Install | elementary | <span style="color:#B60016">7045</span> | Service Control Manager |
 | Phorpiex Process Masquerading | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Process Memory Dump Using Rdrleakdiag | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
-| Wdigest Enable UseLogonCredential | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| TrustedInstaller Impersonation | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Msdt (Follina) File Browse Process Execution | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Disable Task Manager Through Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| OneNote Suspicious Children Process | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| Active Directory Shadow Credentials | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136' style='color: inherit;'>5136</a></span> | Microsoft-Windows-Security-Auditing |
+| AD Object WriteDAC Access | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662' style='color: inherit;'>4662</a></span> | Microsoft-Windows-Security-Auditing |
+| PowerShell Credential Prompt | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Lazarus Loaders | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Equation Group DLL_U Load | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| AdFind Usage | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Sticky Key Like Backdoor Usage | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell AMSI Deactivation Bypass Using .NET Reflection | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
 | Winword Document Droppers | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Schtasks Persistence With High Privileges | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious VBS Execution Parameter | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Microsoft Defender for Office 365 Medium Severity AIR Alert | elementary | 64 |  |
-| Msdt (Follina) File Browse Process Execution | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Microsoft Defender for Office 365 High Severity AIR Alert | elementary | 64 |  |
-| APT29 Fake Google Update Service Install | elementary | <span style="color:#B60016">7045</span> | Service Control Manager |
+| IcedID Execution Using Excel | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| RDP Login From Localhost | elementary | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624' style='color: inherit;'>4624</a> | Microsoft-Windows-Security-Auditing |
+| Mimikatz Basic Commands | elementary | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
 | Debugging Software Deactivation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Domain Trust Discovery Through LDAP | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-REDACTED-Security-Auditing, Microsoft-Windows-Sysmon |
-| Lazarus Loaders | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Process Memory Dump Using Comsvcs | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Ryuk Ransomware Command Line | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Turla Named Pipes | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
+| Dllhost Wrong Parent | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Ursnif Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Windows Credential Editor Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Office Application Startup Office Test | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 | Leviathan Registry Key Activity | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Malicious Service Installations | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
-| UAC Bypass Via Sdclt | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Audit CVE Event | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Audit-CVE |
-| Antivirus Web Shell Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
-| SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704' style='color: inherit;'>4704</a></span> | Microsoft-Windows-Security-Auditing |
-| Malspam Execution Registering Malicious DLL | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
-| Meterpreter or Cobalt Strike Getsystem Service Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager |
-| Mshta JavaScript Execution | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Phorpiex DriveMgr Command | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 Suspicious Inbox Rule | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
+| WMI Persistence Command Line Event Consumer | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span> | Microsoft-Windows-Sysmon |
+| Phosphorus (APT35) Exchange Discovery | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
 | Antivirus Relevant File Paths Alerts | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
-| Dllhost Wrong Parent | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| WMI Install Of Binary | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| RedMimicry Winnti Playbook Registry Manipulation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Cobalt Strike Default Service Creation Usage | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Service Control Manager |
+| SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704' style='color: inherit;'>4704</a></span> | Microsoft-Windows-Security-Auditing |
+| Audit CVE Event | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Audit-CVE |
 | SysKey Registry Keys Access | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656' style='color: inherit;'>4656</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663' style='color: inherit;'>4663</a></span> | Microsoft-Windows-Security-Auditing |
-| Sticky Key Like Backdoor Usage | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Headless Web Browser Execution To Download File | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| WiFi Credentials Harvesting Using Netsh | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Security Support Provider (SSP) Added to LSA Configuration | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Credential Dumping By LaZagne | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>10</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft 365 Email Forwarding To Privacy Email Address | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
+| Elise Backdoor | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| ICacls Granting Access To All | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Raccine Uninstall | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Process Memory Dump Using Createdump | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
+| Meterpreter or Cobalt Strike Getsystem Service Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager |
+| Exploited CVE-2020-10189 Zoho ManageEngine | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Mustang Panda Dropper | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender for Office 365 High Severity AIR Alert | elementary | 64 |  |
+| Malicious Service Installations | elementary | <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
+| Copying Sensitive Files With Credential Data | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious Netsh DLL Persistence | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Copying Browser Files With Credentials | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Netsh RDP Port Forwarding | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious Windows ANONYMOUS LOGON Local Account Created | elementary | <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720' style='color: inherit;'>4720</a></span> | Microsoft-Windows-Security-Auditing |
-| Suspicious Double Extension | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
-| FlowCloud Malware | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Disable Task Manager Through Registry Key | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| PowerShell AMSI Deactivation Bypass Using .NET Reflection | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
-| Process Memory Dump Using Createdump | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Kernel-Process |
-| Microsoft 365 Suspicious Inbox Rule | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> |  |
-| PowerShell Downgrade Attack | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Turla Named Pipes | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>17</a></span> | Microsoft-Windows-Sysmon |
-| Exploit For CVE-2015-1641 | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Suncrypt Parameters | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Domain Trust Discovery Through LDAP | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688' style='color: inherit;'>4688</a></span> | Microsoft-REDACTED-Security-Auditing, Microsoft-Windows-Sysmon |
+| CVE-2019-0708 Scan | elementary | <a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625' style='color: inherit;'>4625</a> | Microsoft-Windows-Security-Auditing |
+| Smbexec.py Service Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
 | Impacket Wmiexec Module | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Malspam Execution Registering Malicious DLL | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
 | Microsoft Defender Antivirus History Directory Deleted | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| PowerShell Downgrade Attack | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| RTLO Character | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Office Startup Add-In | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Process Memory Dump Using Rdrleakdiag | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| DNS Tunnel Technique From MuddyWater | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Antivirus Exploitation Framework Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
+| RedMimicry Winnti Playbook Registry Manipulation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious Double Extension | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Microsoft-Windows-Sysmon |
+| WMI Install Of Binary | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| RedMimicry Winnti Playbook Dropped File | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Entra ID (Azure AD) Domain Trust Modification | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>8</a></span> |  |
+| Mshta JavaScript Execution | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Outlook Registry Access | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Wdigest Enable UseLogonCredential | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| Suspicious HWP Child Process | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| RYUK Ransomeware - martinstevens Username | elementary | <span style="color:#B60016">4103</span> | Microsoft-Windows-PowerShell |
+| Microsoft 365 Sign-in With No User Agent | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> |  |
+| Empire Monkey Activity | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Antivirus Web Shell Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
+| Antivirus Password Dumper Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
+| Active Directory Database Dump Via Ntdsutil | elementary | 325 | ESENT |
+| UAC Bypass Via Sdclt | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| PasswordDump SecurityXploded Tool | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Disable Workstation Lock | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Suncrypt Parameters | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Raccine Uninstall | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Smbexec.py Service Installation | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>6</a></span>, <span style="color:#B60016"><a href='https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697' style='color: inherit;'>4697</a></span>, <span style="color:#B60016">7045</span> | Service Control Manager |
-| UAC Bypass via Event Viewer | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
-| Security Support Provider (SSP) Added to LSA Configuration | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
+| TrustedInstaller Impersonation | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
 | Blue Mockingbird Malware | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
-| Equation Group DLL_U Load | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Exploit For CVE-2015-1641 | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Cobalt Strike Default Beacons Names | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>15</a></span> | Microsoft-Windows-Sysmon |
+| Dumpert LSASS Process Dumper | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>7</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Microsoft-Windows-Sysmon |
+| Invoke-TheHash Commandlets | elementary | <span style="color:#D89462">4104</span> | Microsoft-Windows-PowerShell |
+| Schtasks Persistence With High Privileges | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Windows Update LolBins | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Signatures Removed With MpCmdRun | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
+| UAC Bypass via Event Viewer | elementary | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>13</a></span> | Microsoft-Windows-Sysmon |
 
 ## EventIDs occurences in rules
-| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 433) |
+| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 434) |
 | ------- | ------------------------- | ------------------------------------------------------ |
-| 1 | 215 | 49.65 % |
-| 13 | 44 | 10.16 % |
-| 4104 | 42 | 9.7 % |
-| 11 | 18 | 4.16 % |
+| 1 | 213 | 49.08 % |
+| 13 | 44 | 10.14 % |
+| 4104 | 42 | 9.68 % |
+| 11 | 18 | 4.15 % |
 | 7 | 15 | 3.46 % |
-| 5145 | 11 | 2.54 % |
-| 5 | 11 | 2.54 % |
-| 7045 | 11 | 2.54 % |
-| 4656 | 8 | 1.85 % |
-| 15 | 7 | 1.62 % |
-| 4688 | 6 | 1.39 % |
-| 98 | 6 | 1.39 % |
-| 4662 | 6 | 1.39 % |
-| 17 | 6 | 1.39 % |
-| 10 | 6 | 1.39 % |
-| 4663 | 6 | 1.39 % |
-| 4697 | 6 | 1.39 % |
-| 5136 | 5 | 1.15 % |
+| 5 | 12 | 2.76 % |
+| 5145 | 11 | 2.53 % |
+| 7045 | 11 | 2.53 % |
+| 4656 | 8 | 1.84 % |
+| 15 | 7 | 1.61 % |
+| 10 | 6 | 1.38 % |
+| 4662 | 6 | 1.38 % |
+| 98 | 6 | 1.38 % |
+| 4697 | 6 | 1.38 % |
+| 5136 | 6 | 1.38 % |
+| 4663 | 6 | 1.38 % |
+| 17 | 6 | 1.38 % |
+| 4688 | 6 | 1.38 % |
 | 4624 | 5 | 1.15 % |
-| 1116 | 5 | 1.15 % |
 | 3 | 5 | 1.15 % |
-| 4103 | 4 | 0.92 % |
+| 1116 | 5 | 1.15 % |
 | 64 | 4 | 0.92 % |
+| 4103 | 4 | 0.92 % |
+| 6 | 3 | 0.69 % |
+| 4720 | 3 | 0.69 % |
 | 12 | 3 | 0.69 % |
 | 22 | 3 | 0.69 % |
 | 4625 | 3 | 0.69 % |
-| 4720 | 3 | 0.69 % |
-| 6 | 3 | 0.69 % |
-| 4729 | 2 | 0.46 % |
 | 20 | 2 | 0.46 % |
-| 4728 | 2 | 0.46 % |
-| 8 | 2 | 0.46 % |
 | 25 | 2 | 0.46 % |
+| 8 | 2 | 0.46 % |
 | 5007 | 2 | 0.46 % |
+| 4799 | 2 | 0.46 % |
 | 30 | 2 | 0.46 % |
-| 325 | 1 | 0.23 % |
+| 1033 | 2 | 0.46 % |
+| 4728 | 2 | 0.46 % |
+| 4729 | 2 | 0.46 % |
+| 4657 | 1 | 0.23 % |
+| 4673 | 1 | 0.23 % |
+| 4825 | 1 | 0.23 % |
 | 4674 | 1 | 0.23 % |
-| 19 | 1 | 0.23 % |
-| 21 | 1 | 0.23 % |
-| 524 | 1 | 0.23 % |
-| 4706 | 1 | 0.23 % |
-| 4707 | 1 | 0.23 % |
-| 4738 | 1 | 0.23 % |
 | 1127 | 1 | 0.23 % |
 | 5001 | 1 | 0.23 % |
 | 5101 | 1 | 0.23 % |
 | 5010 | 1 | 0.23 % |
 | 5012 | 1 | 0.23 % |
 | 2013 | 1 | 0.23 % |
+| 524 | 1 | 0.23 % |
 | 1013 | 1 | 0.23 % |
-| 6416 | 1 | 0.23 % |
-| 517 | 1 | 0.23 % |
-| 1102 | 1 | 0.23 % |
-| 4743 | 1 | 0.23 % |
-| 1032 | 1 | 0.23 % |
-| 1034 | 1 | 0.23 % |
-| 1031 | 1 | 0.23 % |
-| 5154 | 1 | 0.23 % |
-| 4657 | 1 | 0.23 % |
-| 4611 | 1 | 0.23 % |
+| 4706 | 1 | 0.23 % |
+| 4707 | 1 | 0.23 % |
+| 4649 | 1 | 0.23 % |
+| 40 | 1 | 0.23 % |
 | 8001 | 1 | 0.23 % |
+| 4742 | 1 | 0.23 % |
+| 4661 | 1 | 0.23 % |
+| 4704 | 1 | 0.23 % |
+| 5156 | 1 | 0.23 % |
 | 770 | 1 | 0.23 % |
 | 771 | 1 | 0.23 % |
 | 150 | 1 | 0.23 % |
-| 1125 | 1 | 0.23 % |
-| 1126 | 1 | 0.23 % |
-| 1006 | 1 | 0.23 % |
-| 1007 | 1 | 0.23 % |
-| 1008 | 1 | 0.23 % |
-| 1015 | 1 | 0.23 % |
-| 1117 | 1 | 0.23 % |
-| 1118 | 1 | 0.23 % |
-| 1119 | 1 | 0.23 % |
-| 27 | 1 | 0.23 % |
-| 4776 | 1 | 0.23 % |
-| 4794 | 1 | 0.23 % |
+| 5140 | 1 | 0.23 % |
+| 4611 | 1 | 0.23 % |
+| 1032 | 1 | 0.23 % |
+| 1034 | 1 | 0.23 % |
+| 1031 | 1 | 0.23 % |
+| 5154 | 1 | 0.23 % |
 | 4754 | 1 | 0.23 % |
 | 4756 | 1 | 0.23 % |
 | 4757 | 1 | 0.23 % |
@@ -532,49 +524,58 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | 4727 | 1 | 0.23 % |
 | 4730 | 1 | 0.23 % |
 | 4764 | 1 | 0.23 % |
-| 5156 | 1 | 0.23 % |
-| 4825 | 1 | 0.23 % |
-| 1033 | 1 | 0.23 % |
-| 4704 | 1 | 0.23 % |
-| 4661 | 1 | 0.23 % |
 | 47 | 1 | 0.23 % |
-| 4732 | 1 | 0.23 % |
-| 4658 | 1 | 0.23 % |
-| 4649 | 1 | 0.23 % |
-| 4799 | 1 | 0.23 % |
-| 40 | 1 | 0.23 % |
-| 4742 | 1 | 0.23 % |
+| 4776 | 1 | 0.23 % |
+| 6416 | 1 | 0.23 % |
+| 4794 | 1 | 0.23 % |
+| 27 | 1 | 0.23 % |
+| 4743 | 1 | 0.23 % |
 | 16 | 1 | 0.23 % |
+| 517 | 1 | 0.23 % |
+| 1102 | 1 | 0.23 % |
+| 19 | 1 | 0.23 % |
+| 21 | 1 | 0.23 % |
+| 4738 | 1 | 0.23 % |
+| 4658 | 1 | 0.23 % |
+| 4732 | 1 | 0.23 % |
+| 325 | 1 | 0.23 % |
 | 1000 | 1 | 0.23 % |
-| 4673 | 1 | 0.23 % |
-| 5140 | 1 | 0.23 % |
+| 1125 | 1 | 0.23 % |
+| 1126 | 1 | 0.23 % |
+| 1006 | 1 | 0.23 % |
+| 1007 | 1 | 0.23 % |
+| 1008 | 1 | 0.23 % |
+| 1015 | 1 | 0.23 % |
+| 1117 | 1 | 0.23 % |
+| 1118 | 1 | 0.23 % |
+| 1119 | 1 | 0.23 % |
 
 ## EventProviders occurences in rules
-| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 433) |
+| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 434) |
 | ------- | ------------------------- | ------------------------------------------------------ |
-| Microsoft-Windows-Sysmon | 288 | 66.51 % |
-| Microsoft-Windows-Security-Auditing | 66 | 15.24 % |
-| Microsoft-Windows-PowerShell | 46 | 10.62 % |
-| Kernel-Process | 12 | 2.77 % |
-| Service Control Manager | 11 | 2.54 % |
-| Microsoft-Windows-Windows Defender | 9 | 2.08 % |
-| Microsoft-Windows-DHCP-Server | 2 | 0.46 % |
+| Microsoft-Windows-Sysmon | 286 | 65.9 % |
+| Microsoft-Windows-Security-Auditing | 67 | 15.44 % |
+| Microsoft-Windows-PowerShell | 46 | 10.6 % |
+| Kernel-Process | 13 | 3.0 % |
+| Service Control Manager | 11 | 2.53 % |
+| Microsoft-Windows-Windows Defender | 9 | 2.07 % |
 | Microsoft-Windows-Kernel-File | 2 | 0.46 % |
-| ESENT | 1 | 0.23 % |
 | Microsoft-Windows-Backup | 1 | 0.23 % |
-| Microsoft-Windows-Eventlog | 1 | 0.23 % |
 | Microsoft-Windows-NTLM | 1 | 0.23 % |
+| Microsoft-Windows-Audit-CVE | 1 | 0.23 % |
 | Microsoft-Windows-DNS-Server-Service | 1 | 0.23 % |
-| Microsoft-Windows-Kernel-Process | 1 | 0.23 % |
+| Microsoft-Windows-DHCP-Server | 1 | 0.23 % |
 | Microsoft-REDACTED-Security-Auditing | 1 | 0.23 % |
-| Microsoft-Windows-Audit-CVE | 1 | 0.23 % |
 | Microsoft-Windows-Kernel-General | 1 | 0.23 % |
+| Microsoft-Windows-Eventlog | 1 | 0.23 % |
+| Microsoft-Windows-Kernel-Process | 1 | 0.23 % |
+| ESENT | 1 | 0.23 % |
 | Application Error | 1 | 0.23 % |
 
 ## EffortLevel x EventIDs
-| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 433 |
+| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 434 |
 | ------------ | -------- | ----------------------- | ------------------------------------------------------- |
-| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4727, 4728, 4729, 4730, 4743, 4754, 4756, 4757, 4758, 4764, 5007, 5140, 5145, 7, 770, 771, 8001, 98 | 77 | 17.78 % |
-| advanced | 1, 10, 11, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 4103, 4104, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5136, 5145, 5154, 5156, 64, 6416, 7, 7045, 8 | 75 | 17.32 % |
-| intermediate | 1, 10, 1000, 1006, 1007, 1008, 1015, 1031, 1032, 1033, 1034, 11, 1102, 1116, 1117, 1118, 1119, 1125, 1126, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 47, 4720, 4732, 4738, 4742, 4794, 4825, 5, 5136, 5145, 517, 524, 6, 64, 7, 7045 | 183 | 42.26 % |
-| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4624, 4625, 4656, 4662, 4663, 4688, 4697, 4704, 4720, 5, 6, 64, 7, 7045, 8 | 98 | 22.63 % |
\ No newline at end of file
+| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4727, 4728, 4729, 4730, 4743, 4754, 4756, 4757, 4758, 4764, 5007, 5140, 5145, 7, 770, 771, 8001, 98 | 76 | 17.51 % |
+| advanced | 1, 10, 11, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 4103, 4104, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5136, 5145, 5154, 5156, 64, 6416, 7, 7045, 8 | 75 | 17.28 % |
+| intermediate | 1, 10, 1000, 1006, 1007, 1008, 1015, 1031, 1032, 1033, 1034, 11, 1102, 1116, 1117, 1118, 1119, 1125, 1126, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 47, 4720, 4732, 4738, 4742, 4794, 4799, 4825, 5, 5136, 5145, 517, 524, 6, 64, 7, 7045 | 184 | 42.4 % |
+| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4624, 4625, 4656, 4662, 4663, 4688, 4697, 4704, 4720, 5, 5136, 6, 64, 7, 7045, 8 | 99 | 22.81 % |
\ No newline at end of file