From 214f7de53cfb3195f7ab3f71595642c2522ce2b1 Mon Sep 17 00:00:00 2001
From: GuillaumeCSekoia <81572498+GuillaumeCSekoia@users.noreply.github.com>
Date: Fri, 22 Mar 2024 10:21:48 +0000
Subject: [PATCH] Refresh Built-in detection rules documentation
---
...f5e-a585fc7c8fc0_do_not_edit_manually.json | 2 +-
...41e-af269b45bef1_do_not_edit_manually.json | 2 +-
...7d1-588319e39d71_do_not_edit_manually.json | 2 +-
...5c4-c8174c307e48_do_not_edit_manually.json | 2 +-
...06d-f92f3a46bcdd_do_not_edit_manually.json | 2 +-
...575-9e43af779f9f_do_not_edit_manually.json | 2 +-
...5e2-4597e366b8c4_do_not_edit_manually.json | 2 +-
...02e-e88fe2193365_do_not_edit_manually.json | 2 +-
...803-e7990afe78b6_do_not_edit_manually.json | 2 +-
...b17-90c0be6b1f10_do_not_edit_manually.json | 2 +-
...9b6-76bf5298a617_do_not_edit_manually.json | 2 +-
...fbd-01e3fac01cd5_do_not_edit_manually.json | 2 +-
...c24-2d7129137688_do_not_edit_manually.json | 2 +-
...13a-f8dd48cddc8c_do_not_edit_manually.json | 2 +-
...46b-974354a107bb_do_not_edit_manually.json | 2 +-
...cfd-43f7d9595777_do_not_edit_manually.json | 2 +-
...d19-67edc91fb063_do_not_edit_manually.json | 2 +-
...e06-7b335e439c29_do_not_edit_manually.json | 2 +-
...916-636c27ba4931_do_not_edit_manually.json | 2 +-
...b02-e72f870fcbd1_do_not_edit_manually.json | 2 +-
...901-b7fadfb0ba48_do_not_edit_manually.json | 2 +-
...038-3f7d5a3b8b11_do_not_edit_manually.json | 2 +-
...976-250cba2eaf5b_do_not_edit_manually.json | 2 +-
...00a-2b58303cac90_do_not_edit_manually.json | 2 +-
...e47-1574946412b6_do_not_edit_manually.json | 2 +-
...750-5db882ea1266_do_not_edit_manually.json | 2 +-
...87f-48a3dc07d4d3_do_not_edit_manually.json | 2 +-
...033-6f1f887a70f2_do_not_edit_manually.json | 2 +-
...597-d2944a601930_do_not_edit_manually.json | 2 +-
...6bd-91a447bb26bd_do_not_edit_manually.json | 2 +-
...f3b-f73a622c9687_do_not_edit_manually.json | 2 +-
...c99-5c2de7e1d340_do_not_edit_manually.json | 2 +-
...4fa-28d6c1f2e2a8_do_not_edit_manually.json | 2 +-
...d69-684a0b3835fc_do_not_edit_manually.json | 2 +-
...d60-8fd5e39140b3_do_not_edit_manually.json | 2 +-
...4e0-4f0c0f9138b8_do_not_edit_manually.json | 2 +-
...109-c6d85b91bbcf_do_not_edit_manually.json | 2 +-
...703-7452882e70da_do_not_edit_manually.json | 2 +-
...2ff-0e1cde564161_do_not_edit_manually.json | 2 +-
...f81-30df7b1963a0_do_not_edit_manually.json | 2 +-
...e09-44d31626b694_do_not_edit_manually.json | 2 +-
...28f-3ee3cd5b9a8e_do_not_edit_manually.json | 2 +-
...47b-ef64dd87c981_do_not_edit_manually.json | 2 +-
...780-b225c59e9f99_do_not_edit_manually.json | 2 +-
...1f3-49e3993c16f5_do_not_edit_manually.json | 2 +-
...546-98539fc07725_do_not_edit_manually.json | 2 +-
...f2d-eed5013fe463_do_not_edit_manually.json | 2 +-
...60f-2d3fd0b46987_do_not_edit_manually.json | 2 +-
...c15-3828627ba899_do_not_edit_manually.json | 2 +-
...5de-5c2722fa020e_do_not_edit_manually.json | 2 +-
...d8b-08d6315e1ef6_do_not_edit_manually.json | 2 +-
...70f-fd3b54ba1fe4_do_not_edit_manually.json | 2 +-
...cbb-bc830118c1f9_do_not_edit_manually.json | 2 +-
...f1d-772e9a30f0dd_do_not_edit_manually.json | 2 +-
...bcc-45fd108ba1be_do_not_edit_manually.json | 2 +-
...427-621541e881d5_do_not_edit_manually.json | 2 +-
...90d-9af2f7be7019_do_not_edit_manually.json | 2 +-
...76c-408472fcfebb_do_not_edit_manually.json | 2 +-
...1ed-b9e88f05e67a_do_not_edit_manually.json | 2 +-
...060-a9d9f2d270db_do_not_edit_manually.json | 2 +-
...dd4-30f1870e3d03_do_not_edit_manually.json | 2 +-
...afa-595bd430c0cb_do_not_edit_manually.json | 2 +-
...f79-da99b487b1af_do_not_edit_manually.json | 2 +-
...ae5-aa67d2f29fcb_do_not_edit_manually.json | 2 +-
...79a-f97be24cc02d_do_not_edit_manually.json | 2 +-
...e56-0242ac120002_do_not_edit_manually.json | 2 +-
...763-aad3451821e5_do_not_edit_manually.json | 2 +-
...0ce-dbcae04eaf26_do_not_edit_manually.json | 2 +-
...5aa-2a6a900df99b_do_not_edit_manually.json | 2 +-
...43e-9848cadb1f99_do_not_edit_manually.json | 2 +-
...844-f7f4d7348199_do_not_edit_manually.json | 2 +-
...847-983f38efb8ff_do_not_edit_manually.json | 2 +-
...602-a5994544d9ed_do_not_edit_manually.json | 2 +-
...e3d-587fdd99a421_do_not_edit_manually.json | 2 +-
...15f-1f83807ff3cc_do_not_edit_manually.json | 2 +-
...659-4cb814431e29_do_not_edit_manually.json | 2 +-
...fa0-c63661820941_do_not_edit_manually.json | 2 +-
...9c5-e075f3fb3216_do_not_edit_manually.json | 2 +-
...e89-f2b8be4baf4e_do_not_edit_manually.json | 2 +-
...8ed-b7fb3d7fa232_do_not_edit_manually.json | 2 +-
...785-c1276277b5d7_do_not_edit_manually.json | 2 +-
...e0e-ca4e6cecf7e6_do_not_edit_manually.json | 2 +-
...af5-b69c7b679887_do_not_edit_manually.json | 2 +-
...cb6-2f574bd4ce51_do_not_edit_manually.json | 2 +-
...399-ddd992d48472_do_not_edit_manually.json | 2 +-
...c2d-e2cfa46bf0e5_do_not_edit_manually.json | 2 +-
...098-fe4a9e0aeaa0_do_not_edit_manually.json | 2 +-
...7e6-7e0948e12415_do_not_edit_manually.json | 2 +-
...in_rules_changelog_do_not_edit_manually.md | 8 ++-
.../built_in_rules_do_not_edit_manually.md | 71 ++++++++++++++++++-
...-8e06-7b335e439c29_do_not_edit_manually.md | 30 ++++++++
...-bb02-e72f870fcbd1_do_not_edit_manually.md | 2 +-
...-9bcc-45fd108ba1be_do_not_edit_manually.md | 2 +-
.../built_in_detection_rules_eventids.md | 61 ++++++++--------
94 files changed, 227 insertions(+), 123 deletions(-)
diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
index 88d8f40764..55f1c77e55 100644
--- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CertOC Loading Dll, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, WMIC Uninstall Product, Netsh Port Forwarding, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, MavInject Process Injection, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
index 0fe4ae5bd9..146efc4b6d 100644
--- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Debugging Software Deactivation, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, SSH X11 Forwarding, SSH Tunnel Traffic, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File and Directory Permissions Modification"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Linux Binary Masquerading"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Sysprep On AppData Folder, Python Offensive Tools and Packages, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Control Panel Items, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Control Process, Explorer Process Executing HTA File, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SSH X11 Forwarding, SSH Tunnel Traffic, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Python Offensive Tools and Packages, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Mshta JavaScript Execution, xWizard Execution, Suspicious Mshta Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Taskkill Command, CMSTP Execution, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
index f802ff5d8a..cda4cf1c4e 100644
--- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
index fd91a24215..3796b67af4 100644
--- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Microsoft Defender Antivirus Threat Detected, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Microsoft Defender Antivirus Threat Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, Sysprep On AppData Folder, Python Offensive Tools and Packages, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Microsoft Defender Antivirus Threat Detected, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Control Process, AccCheckConsole Executing Dll, Control Panel Items, Suspicious DLL Loading By Ordinal, xWizard Execution, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, CertOC Loading Dll, MavInject Process Injection, Mshta JavaScript Execution, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, WithSecure Elements Critical Severity, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Office Creating Suspicious File, Powershell Web Request, Suspicious Windows Script Execution, Python Offensive Tools and Packages, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, Microsoft Defender Antivirus Threat Detected, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Mshta JavaScript Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Control Panel Items, Suspicious Control Process, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, CertOC Loading Dll, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Explorer Process Executing HTA File, CMSTP Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
index ea0ef6b7bc..d6dd497f88 100644
--- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Suspended, Google Workspace User Deletion, Google Workspace Admin Deletion"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace Password Change"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace Admin Deletion, Google Workspace User Deletion, Google Workspace User Suspended"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace Password Change"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
index 1dafe00f3d..c169fef996 100644
--- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender XDR Endpoint Alert, Microsoft Defender XDR Alert, Cobalt Strike Default Beacons Names, Microsoft Defender XDR Office 365 Alert, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Microsoft Defender XDR Cloud App Security Alert, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Python HTTP Server, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, SELinux Disabling, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, SELinux Disabling, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Disabled Service, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Debugging Software Deactivation, FLTMC command usage, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender XDR Endpoint Alert, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender XDR Alert, WMIC Uninstall Product, Microsoft Defender XDR Office 365 Alert, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, Interactive Terminal Spawned via Python, Socat Relaying Socket, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Socat Reverse Shell Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender XDR Cloud App Security Alert, Suspicious Outlook Child Process, Mshta Suspicious Child Process, Sysprep On AppData Folder, Python Offensive Tools and Packages, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Leviathan Registry Key Activity, NjRat Registry Changes, Autorun Keys Modification"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Control Process, IcedID Execution Using Excel, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious DLL Loading By Ordinal, xWizard Execution, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, CertOC Loading Dll, MOFComp Execution, Suspicious Regsvr32 Execution, MavInject Process Injection, Mshta JavaScript Execution, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Mshta Suspicious Child Process, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Suspicious DNS Child Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, PsExec Process, Winword wrong parent, Wininit Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Suspicious DNS Child Process, Microsoft Defender XDR Endpoint Alert, Usage Of Sysinternals Tools, Microsoft Defender XDR Alert, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SolarWinds Suspicious File Creation, Microsoft Defender XDR Office 365 Alert, Microsoft Defender XDR Cloud App Security Alert, PsExec Process, Windows Update LolBins, Winword wrong parent, Exfiltration Via Pscp, Wininit Wrong Parent"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Winrshost Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Winword wrong parent, Wininit Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Winrshost Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Winword wrong parent, Wininit Wrong Parent"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Defender XDR Endpoint Alert, IcedID Execution Using Excel, Suspicious Outlook Child Process, Microsoft Defender XDR Alert, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Defender XDR Office 365 Alert, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Defender XDR Cloud App Security Alert"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Winword Document Droppers, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, SELinux Disabling, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Disabled Service, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, SELinux Disabling, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disabled Service, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Venom Multi-hop Proxy agent detection, Aspnet Compiler, Microsoft Defender XDR Cloud App Security Alert, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, Microsoft Defender XDR Office 365 Alert, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Microsoft Defender XDR Endpoint Alert, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Suspicious Outlook Child Process, Microsoft Defender XDR Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Python Offensive Tools and Packages, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Interactive Terminal Spawned via Python, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Lazarus Loaders, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, Leviathan Registry Key Activity, Kernel Module Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Mshta JavaScript Execution, MavInject Process Injection, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Control Panel Items, Suspicious Control Process, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regsvr32 Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Explorer Process Executing HTA File, CMSTP Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, Winword wrong parent, SolarWinds Wrong Child Process, PsExec Process, Wininit Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Windows Update LolBins, Microsoft Defender XDR Endpoint Alert, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, Winword wrong parent, Microsoft Defender XDR Alert, Exfiltration Via Pscp, SolarWinds Wrong Child Process, Microsoft Defender XDR Office 365 Alert, PsExec Process, Wininit Wrong Parent, Microsoft Defender XDR Cloud App Security Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Winword wrong parent, New Service Creation, SolarWinds Wrong Child Process, Wininit Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Winword wrong parent, New Service Creation, SolarWinds Wrong Child Process, Wininit Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
index 5b4913f921..46c7860a6a 100644
--- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
index 7280b26f11..3cfcb5f066 100644
--- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Trend Micro Apex One Data Loss Prevention Alert, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Trend Micro Apex One Malware Alert"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Trend Micro Apex One Data Loss Prevention Alert, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, Sysprep On AppData Folder, Python Offensive Tools and Packages, Trend Micro Apex One Malware Alert, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Trend Micro Apex One Data Loss Prevention Alert, PsExec Process, Trend Micro Apex One Malware Alert, Exfiltration Via Pscp"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Debugging Software Deactivation, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Control Panel Items, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Control Process, Explorer Process Executing HTA File, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Trend Micro Apex One Data Loss Prevention Alert, Trend Micro Apex One Malware Alert, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Trend Micro Apex One Data Loss Prevention Alert, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Office Creating Suspicious File, Powershell Web Request, Suspicious Windows Script Execution, Python Offensive Tools and Packages, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Trend Micro Apex One Malware Alert, Lazarus Loaders"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Apex One Data Loss Prevention Alert, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Trend Micro Apex One Malware Alert, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Mshta JavaScript Execution, xWizard Execution, Suspicious Mshta Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Taskkill Command, CMSTP Execution, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
index 93e5384a93..0cfa44bce9 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Agent Disabled, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Malicious), Download Files From Suspicious TLDs, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Custom Rule Alert, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR User Failed To Log In To The Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Threat Mitigation Report Quarantine Success, WMIC Uninstall Product, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Custom Rule Alert, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Exploiting SetupComplete.cmd CVE-2019-1378, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Agent Disabled, Default Encoding To UTF-8 PowerShell, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Remediate Success, Suspicious Taskkill Command, SentinelOne EDR SSO User Added, Suspicious PowerShell Invocations - Specific, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Kill Success"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Quarantine Success, Usage Of Procdump With Common Arguments, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Remediate Success, SolarWinds Wrong Child Process, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR User Failed To Log In To The Management Console"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Debugging Software Deactivation, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Blue Mockingbird Malware, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CertOC Loading Dll, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, Impacket Wmiexec Module"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Malicious Threat Not Mitigated, Download Files From Suspicious TLDs, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Agent Disabled, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Logged In To The Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, SentinelOne EDR User Failed To Log In To The Management Console, Suspicious PowerShell Invocations - Specific, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Agent Disabled, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, MalwareBytes Uninstallation, SentinelOne EDR SSO User Added, SentinelOne EDR Custom Rule Alert, Suspicious Microsoft Defender Antivirus Exclusion Command, WMIC Uninstall Product, SentinelOne EDR Threat Mitigation Report Kill Success, Phorpiex DriveMgr Command, SentinelOne EDR Threat Mitigation Report Remediate Success, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Detected (Malicious), Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Logged In To The Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Remediate Success, Usage Of Procdump With Common Arguments, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Agent Disabled, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SolarWinds Wrong Child Process, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Logged In To The Management Console"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, WMIC Uninstall Product, Netsh Port Forwarding, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, MavInject Process Injection, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Control Panel Items"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
index 3ebc271697..1c823fb232 100644
--- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
index 6f70e9aa8b..9fe52b4203 100644
--- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Debugging Software Deactivation, FLTMC command usage, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Mshta Suspicious Child Process, Sysprep On AppData Folder, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Blue Mockingbird Malware, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Control Process, IcedID Execution Using Excel, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious DLL Loading By Ordinal, xWizard Execution, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, CertOC Loading Dll, MOFComp Execution, Suspicious Regsvr32 Execution, MavInject Process Injection, Mshta JavaScript Execution, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Mshta Suspicious Child Process, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, PsExec Process, Winword wrong parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, PsExec Process, Windows Update LolBins, Winword wrong parent, Exfiltration Via Pscp"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, New Service Creation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious Outlook Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Lazarus Loaders"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Mshta JavaScript Execution, MavInject Process Injection, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Control Panel Items, Suspicious Control Process, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regsvr32 Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Explorer Process Executing HTA File, CMSTP Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, Winword wrong parent, SolarWinds Wrong Child Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, Winword wrong parent, Exfiltration Via Pscp, SolarWinds Wrong Child Process, PsExec Process, Windows Update LolBins"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Winword Document Droppers, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Outlook Child Process, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Winword Document Droppers, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, Explorer Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, Explorer Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
index d45e9bdbfb..b301f61a89 100644
--- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Suspicious Driver Loaded, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Debugging Software Deactivation, Netsh RDP Port Forwarding, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, MalwareBytes Uninstallation, Suspicious Driver Loaded, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CertOC Loading Dll, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, NjRat Registry Changes"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, WMIC Uninstall Product, Netsh Port Forwarding, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, WMIC Uninstall Product, Venom Multi-hop Proxy agent detection, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, MavInject Process Injection, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json
index 64e7e436b3..f24892cff8 100644
--- a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CertOC Loading Dll, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, WMIC Uninstall Product, Netsh Port Forwarding, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, MavInject Process Injection, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
index f1a0a245ae..3c3eb143e6 100644
--- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
index dfb967d921..370b2f5a44 100644
--- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Browser"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Browser"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Browser"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Browser"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
index e4348dc040..28265dbd0c 100644
--- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-1147 SharePoint, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
index d21a25433e..c79369409b 100644
--- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CertOC Loading Dll, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, WMIC Uninstall Product, Netsh Port Forwarding, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, MavInject Process Injection, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
index 0f4b7592ce..6f0650a1b3 100644
--- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Identity Protection Detection High Severity, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Critical Severity, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Winword Document Droppers, CrowdStrike Falcon Identity Protection Detection Medium Severity, Microsoft Office Spawning Script, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, CrowdStrike Falcon Identity Protection Detection Low Severity"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: CrowdStrike Falcon Identity Protection Detection High Severity, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, CrowdStrike Falcon Intrusion Detection, Suspicious Cmd.exe Command Line, CrowdStrike Falcon Identity Protection Detection Critical Severity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, CrowdStrike Falcon Intrusion Detection High Severity, MalwareBytes Uninstallation, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Trickbot Malware Activity, CrowdStrike Falcon Identity Protection Detection Medium Severity, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, CrowdStrike Falcon Identity Protection Detection Informational Severity, Elise Backdoor, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Mshta Suspicious Child Process, Sysprep On AppData Folder, Python Offensive Tools and Packages, Suspicious Windows Script Execution, CrowdStrike Falcon Identity Protection Detection Low Severity, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, CrowdStrike Falcon Identity Protection Detection High Severity, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, CrowdStrike Falcon Intrusion Detection, Winword wrong parent, Searchindexer Wrong Parent, CrowdStrike Falcon Identity Protection Detection Critical Severity, Lsass Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity, Smss Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Exfiltration Via Pscp, CrowdStrike Falcon Identity Protection Detection Medium Severity, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, CrowdStrike Falcon Identity Protection Detection Informational Severity, Svchost Wrong Parent, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Windows Update LolBins, Csrss Child Found, CrowdStrike Falcon Identity Protection Detection Low Severity, Wininit Wrong Parent"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, FLTMC command usage, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Logonui Wrong Parent, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Logonui Wrong Parent, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Control Process, IcedID Execution Using Excel, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious DLL Loading By Ordinal, xWizard Execution, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, CertOC Loading Dll, MOFComp Execution, Suspicious Regsvr32 Execution, MavInject Process Injection, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Mshta Suspicious Child Process, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: CrowdStrike Falcon Mobile Detection Critical Severity, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection Informational Severity, SEKOIA.IO Intelligence Feed, CrowdStrike Falcon Mobile Detection Medium Severity, CrowdStrike Falcon Mobile Detection High Severity, Exfiltration And Tunneling Tools Execution, Python HTTP Server, CrowdStrike Falcon Mobile Detection Low Severity"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Identity Protection Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Informational Severity, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Intrusion Detection High Severity, Suspicious Outlook Child Process, CrowdStrike Falcon Identity Protection Detection High Severity, Winword Document Droppers, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection Low Severity, IcedID Execution Using Excel, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection Medium Severity"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Exploiting SetupComplete.cmd CVE-2019-1378, CrowdStrike Falcon Identity Protection Detection Medium Severity, Suspicious PowerShell Invocations - Specific, Elise Backdoor, CrowdStrike Falcon Identity Protection Detection Informational Severity, Sysprep On AppData Folder, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, WMIC Uninstall Product, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, CrowdStrike Falcon Intrusion Detection High Severity, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious Outlook Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, CrowdStrike Falcon Identity Protection Detection High Severity, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Python Offensive Tools and Packages, CrowdStrike Falcon Intrusion Detection Critical Severity, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection Low Severity, Microsoft Defender Antivirus Disabled Base64 Encoded, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection Medium Severity, Lazarus Loaders"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, CrowdStrike Falcon Identity Protection Detection Medium Severity, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, CrowdStrike Falcon Identity Protection Detection Informational Severity, Searchindexer Wrong Parent, Lsass Wrong Parent, CrowdStrike Falcon Intrusion Detection, Svchost Wrong Parent, SolarWinds Suspicious File Creation, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Windows Update LolBins, Taskhostw Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, CrowdStrike Falcon Identity Protection Detection High Severity, Searchprotocolhost Child Found, Wininit Wrong Parent, CrowdStrike Falcon Intrusion Detection Critical Severity, Logonui Wrong Parent, Csrss Child Found, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection Low Severity, Exfiltration Via Pscp, CrowdStrike Falcon Identity Protection Detection Critical Severity, SolarWinds Wrong Child Process, CrowdStrike Falcon Intrusion Detection Informational Severity, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Mshta JavaScript Execution, MavInject Process Injection, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Control Process, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regsvr32 Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Explorer Process Executing HTA File, CMSTP Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
index 1e617c7c8c..a7bd72219a 100644
--- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
index 8c378ee909..75aa307e52 100644
--- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Cisco Umbrella Threat Detected, Suspicious Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Python HTTP Server, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Suspicious DLL Loaded Via Office Applications, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, HarfangLab EDR Critical Level Rule Detection, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Cobalt Strike Default Beacons Names, Suspicious DLL Loaded Via Office Applications, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, HarfangLab EDR Critical Level Rule Detection, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Explorer Process Executing HTA File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, SSH X11 Forwarding, SSH Tunnel Traffic, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Svchost Modification, Autorun Keys Modification, Narrator Feedback-Hub Persistence, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, NjRat Registry Changes, DLL Load via LSASS Registry Key, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, PowerShell - NTFS Alternate Data Stream, Suspicious DLL Loaded Via Office Applications, Detection of default Mimikatz banner, Mustang Panda Dropper, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Turla Named Pipes, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Aspnet Compiler, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, In-memory PowerShell, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Scripting In A WMI Consumer, WMImplant Hack Tool, Exploiting SetupComplete.cmd CVE-2019-1378, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, WMI DLL Loaded Via Office, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AutoIt3 Execution From Suspicious Folder, PowerShell Malicious PowerShell Commandlets, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Invoke-TheHash Commandlets, Suspicious Outlook Child Process, Mshta Suspicious Child Process, Microsoft Office Creating Suspicious File, FromBase64String Command Line, Sysprep On AppData Folder, Alternate PowerShell Hosts Pipe, Suspicious Windows Script Execution, Malicious PowerShell Keywords, PowerShell Credential Prompt, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Chafer (APT 39) Activity, Logonui Wrong Parent, StoneDrill Service Install, Wmiprvse Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Cobalt Strike Default Service Creation Usage, Lsass Wrong Parent, Smss Wrong Parent, Malicious Service Installations, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, APT29 Fake Google Update Service Install, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Chafer (APT 39) Activity, Logonui Wrong Parent, StoneDrill Service Install, Wmiprvse Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Cobalt Strike Default Service Creation Usage, Lsass Wrong Parent, Smss Wrong Parent, Malicious Service Installations, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, APT29 Fake Google Update Service Install, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Smbexec.py Service Installation, Wmiprvse Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Searchindexer Wrong Parent, Metasploit PSExec Service Creation, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Malicious Service Installations, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Suspicious PsExec Execution, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Credential Dumping Tools Service Execution, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, Microsoft Defender Antivirus Threat Detected, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Smbexec.py Service Installation, Wmiprvse Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Searchindexer Wrong Parent, Metasploit PSExec Service Creation, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Malicious Service Installations, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Exfiltration Via Pscp, Suspicious PsExec Execution, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Credential Dumping Tools Service Execution, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, WMI Persistence Command Line Event Consumer, Windows Update LolBins, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 1, NlTest Usage, PowerView commandlets 2, Trickbot Malware Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cred Dump Tools Dropped Files, Lsass Access Through WinRM, Password Dumper Activity On LSASS, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, LSASS Memory Dump File Creation, Unsigned Image Loaded Into LSASS Process, Credential Dumping-Tools Common Named Pipes, Credential Dumping By LaZagne, LSASS Access From Non System Account, Dumpert LSASS Process Dumper, Mimikatz LSASS Memory Access, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Password Dumper Activity On LSASS, Active Directory Database Dump Via Ntdsutil, Rubeus Tool Command-line, Unsigned Image Loaded Into LSASS Process, Copying Sensitive Files With Credential Data, DCSync Attack, LSASS Memory Dump, Active Directory Replication from Non Machine Account, NTDS.dit File In Suspicious Directory, Load Of dbghelp/dbgcore DLL From Suspicious Process, Lsass Access Through WinRM, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Malicious Service Installations, DPAPI Domain Backup Key Extraction, SAM Registry Hive Handle Request, Process Memory Dump Using Rdrleakdiag, RedMimicry Winnti Playbook Dropped File, HackTools Suspicious Names, HackTools Suspicious Process Names In Command Line, LSASS Memory Dump File Creation, Credential Dumping By LaZagne, Cmdkey Cached Credentials Recon, LSASS Access From Non System Account, Dumpert LSASS Process Dumper, Suspicious SAM Dump, Mimikatz LSASS Memory Access, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NetNTLM Downgrade Attack, Mimikatz Basic Commands, Cred Dump Tools Dropped Files, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Transfering Files With Credential Data Via Network Shares, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Dropped File, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Copying Sensitive Files With Credential Data, Suspicious SAM Dump, SAM Registry Hive Handle Request, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Active Directory Database Dump Via Ntdsutil, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory User Backdoors, Active Directory Replication User Backdoor, User Added to Local Administrators, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, Active Directory Delegate To KRBTGT Service, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Control Process, IcedID Execution Using Excel, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Desktopimgdownldr Execution, Suspicious DLL Loading By Ordinal, xWizard Execution, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Mshta Execution, CertOC Loading Dll, MOFComp Execution, Suspicious Regsvr32 Execution, MavInject Process Injection, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, Dynwrapx Module Loading"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Dynwrapx Module Loading"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Process Herpaderping, Cobalt Strike Named Pipes, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, CreateRemoteThread Common Process Injection, Searchindexer Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Malicious Named Pipe, Process Hollowing Detection, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, Dynwrapx Module Loading, Spoolsv Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Detection of default Mimikatz banner, Turla Named Pipes, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Downgrade Attack, In-memory PowerShell, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, WMImplant Hack Tool, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, PowerShell Invoke Expression With Registry, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Invoke-TheHash Commandlets, FromBase64String Command Line, Mshta Suspicious Child Process, Alternate PowerShell Hosts Pipe, Malicious PowerShell Keywords, PowerShell Credential Prompt"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Ryuk Ransomware Command Line, AMSI Deactivation Using Registry Key, TrustedInstaller Impersonation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Malware Protection Engine Crash, Suspicious PROCEXP152.sys File Created In Tmp, Windows Defender Deactivation Using PowerShell Script, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Configuration Changed, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Disable Security Events Logging Adding Reg Key MiniNt, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Python Opening Ports, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Powershell AMSI Bypass, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Debugging Software Deactivation, Microsoft Defender Antivirus Disable SecurityHealth, FLTMC command usage, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspect Svchost Memory Access, Ryuk Ransomware Command Line, AMSI Deactivation Using Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, TrustedInstaller Impersonation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Malware Protection Engine Crash, Suspicious PROCEXP152.sys File Created In Tmp, Windows Defender Deactivation Using PowerShell Script, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Microsoft Defender Antivirus Configuration Changed, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, FlowCloud Malware, Chafer (APT 39) Activity, Ursnif Registry Key, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, Disable Security Events Logging Adding Reg Key MiniNt, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, RDP Port Change Using Powershell, Remote Registry Management Using Reg Utility, OceanLotus Registry Activity, NetNTLM Downgrade Attack"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, SysKey Registry Keys Access"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer, Net.exe User Account Creation"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Denied Access To Remote Desktop, Admin User RDP Remote Logon, User Added to Local Administrators, Failed Logon Source From Public IP Addresses, Account Tampering - Suspicious Failed Logon Reasons"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Lsass Access Through WinRM, Lateral Movement - Remote Named Pipe, Denied Access To Remote Desktop, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, RDP Login From Localhost, Admin Share Access, MMC20 Lateral Movement, MMC Spawning Windows Shell, Protected Storage Service Access, RDP Port Change Using Powershell"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Audit CVE Event, Antivirus Password Dumper Detection, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, WMI DLL Loaded Via Office, Suspicious DLL Loaded Via Office Applications, Microsoft Office Creating Suspicious File, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Python Opening Ports, Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Secure Deletion With SDelete"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 1, Remote Privileged Group Enumeration, AD User Enumeration, PowerView commandlets 2"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Network Connection Via Certutil"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Creation or Modification of a GPO Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Blue Mockingbird Malware, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Remote Task Creation Via ATSVC Named Pipe, Creation or Modification of a GPO Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection, Possible Replay Attack, Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Lateral Movement - Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Admin Share Access, Protected Storage Service Access"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Eventlog Cleared, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI DLL Loaded Via Office, WMI Install Of Binary, Wmic Process Call Creation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery, Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, DCSync Attack"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, AD Object WriteDAC Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy, Audit CVE Event, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Event Subscription, Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Privileged Operation, PowerView commandlets 2, PowerView commandlets 1, SCM Database Handle Failure"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Cisco Umbrella Threat Detected, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Suspicious LDAP-Attributes Used, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, HarfangLab EDR Hlai Engine Detection, Microsoft Office Creating Suspicious File, Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, HarfangLab EDR Medium Level Rule Detection, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, HarfangLab EDR Hlai Engine Detection, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names, HarfangLab EDR Medium Level Rule Detection, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SSH X11 Forwarding, SSH Tunnel Traffic, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, DLL Load via LSASS Registry Key, NjRat Registry Changes, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Powershell Winlogon Helper DLL, Svchost Modification, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Suspicious PowerShell Keywords, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell - NTFS Alternate Data Stream, Venom Multi-hop Proxy agent detection, Aspnet Compiler, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, Suspicious CodePage Switch with CHCP, Suspicious XOR Encoded PowerShell Command Line, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, Detection of default Mimikatz banner, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious VBS Execution Parameter, In-memory PowerShell, WMIC Uninstall Product, Phorpiex DriveMgr Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Generic, Alternate PowerShell Hosts Pipe, PowerShell Malicious PowerShell Commandlets, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, WMI DLL Loaded Via Office, DNS Exfiltration and Tunneling Tools Execution, Suspicious Outlook Child Process, Suspicious Scripting In A WMI Consumer, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Office Creating Suspicious File, Powershell Web Request, PowerShell Credential Prompt, Suspicious Windows Script Execution, WMImplant Hack Tool, Turla Named Pipes, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Malicious Service Installations, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Chafer (APT 39) Activity, StoneDrill Service Install, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Gpscript Suspicious Parent, Logonui Wrong Parent, Csrss Child Found, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, Csrss Wrong Parent, APT29 Fake Google Update Service Install, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Malicious Service Installations, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Chafer (APT 39) Activity, StoneDrill Service Install, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Gpscript Suspicious Parent, Logonui Wrong Parent, Csrss Child Found, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, Csrss Wrong Parent, APT29 Fake Google Update Service Install, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Malicious Service Installations, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Credential Dumping Tools Service Execution, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Smbexec.py Service Installation, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Wininit Wrong Parent, Suspicious PsExec Execution, Gpscript Suspicious Parent, Logonui Wrong Parent, Csrss Child Found, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Malicious Service Installations, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Credential Dumping Tools Service Execution, SolarWinds Suspicious File Creation, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Smbexec.py Service Installation, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Windows Update LolBins, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Wininit Wrong Parent, Suspicious PsExec Execution, Microsoft Defender Antivirus Threat Detected, Gpscript Suspicious Parent, Logonui Wrong Parent, Csrss Child Found, Exfiltration Via Pscp, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, Mimikatz LSASS Memory Access, Credential Dumping By LaZagne, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Memory Dump File Creation, Lsass Access Through WinRM, Password Dumper Activity On LSASS, Unsigned Image Loaded Into LSASS Process, LSASS Access From Non System Account, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, LSASS Memory Dump, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Malicious Service Installations, Cmdkey Cached Credentials Recon, Active Directory Replication from Non Machine Account, Active Directory Database Dump Via Ntdsutil, NetNTLM Downgrade Attack, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, LSASS Access From Non System Account, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, DCSync Attack, Mimikatz LSASS Memory Access, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, LSASS Memory Dump File Creation, Lsass Access Through WinRM, HackTools Suspicious Names, Copying Browser Files With Credentials, Dumpert LSASS Process Dumper, NTDS.dit File Interaction Through Command Line, Suspicious SAM Dump, Password Dumper Activity On LSASS, SAM Registry Hive Handle Request, Cred Dump Tools Dropped Files, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, Credential Dumping By LaZagne, Load Of dbghelp/dbgcore DLL From Suspicious Process, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Mimikatz Basic Commands, Unsigned Image Loaded Into LSASS Process, HackTools Suspicious Process Names In Command Line, Transfering Files With Credential Data Via Network Shares, RedMimicry Winnti Playbook Dropped File, Process Memory Dump Using Createdump, LSASS Memory Dump"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Active Directory Replication User Backdoor, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, Active Directory Delegate To KRBTGT Service, Mimikatz Basic Commands, Active Directory User Backdoors, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Dynwrapx Module Loading, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Control Process, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regsvr32 Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Explorer Process Executing HTA File, CMSTP Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Dynwrapx Module Loading, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading, CreateRemoteThread Common Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Cobalt Strike Named Pipes, Process Herpaderping, Taskhost Wrong Parent, Malicious Named Pipe, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Dynwrapx Module Loading, Process Hollowing Detection, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent, CreateRemoteThread Common Process Injection, Spoolsv Wrong Parent"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, Windows Registry Persistence COM Search Order Hijacking, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious PowerShell Keywords, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell - NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, PowerShell Downgrade Attack, Detection of default Mimikatz banner, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, In-memory PowerShell, PowerShell Malicious PowerShell Commandlets, Suspicious PowerShell Invocations - Generic, Alternate PowerShell Hosts Pipe, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, WMImplant Hack Tool, Turla Named Pipes, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, NetNTLM Downgrade Attack, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable Services, Raccine Uninstall, Microsoft Malware Protection Engine Crash, Disable Windows Defender Credential Guard, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Configuration Changed, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Disable SecurityHealth, WMIC Uninstall Product, Suspicious PROCEXP152.sys File Created In Tmp, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Debugging Software Deactivation, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, ETW Tampering, Clear EventLogs Through CommandLine, NetNTLM Downgrade Attack, FLTMC command usage, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable Services, Raccine Uninstall, Microsoft Malware Protection Engine Crash, Disable Windows Defender Credential Guard, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Configuration Changed, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Disable SecurityHealth, WMIC Uninstall Product, Suspicious PROCEXP152.sys File Created In Tmp, Python Opening Ports, Disable Security Events Logging Adding Reg Key MiniNt, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspect Svchost Memory Access, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Windows Firewall Changes, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Tampering Detected, Netsh Allowed Python Program, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Blue Mockingbird Malware, Disable Security Events Logging Adding Reg Key MiniNt, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, DHCP Callout DLL Installation, FlowCloud Malware, RDP Port Change Using Powershell, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, Remote Registry Management Using Reg Utility, Chafer (APT 39) Activity"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, SysKey Registry Keys Access, Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Execution From Suspicious Folder, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Admin User RDP Remote Logon, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Denied Access To Remote Desktop"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Denied Access To Remote Desktop, RDP Login From Localhost"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, RDP Login From Localhost, Lateral Movement - Remote Named Pipe, Lsass Access Through WinRM, Denied Access To Remote Desktop, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, MMC20 Lateral Movement, MMC Spawning Windows Shell, RDP Port Change Using Powershell"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Audit CVE Event, Suspicious HWP Child Process, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Python Opening Ports, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan, Audit CVE Event"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Phosphorus (APT35) Exchange Discovery, AD User Enumeration, Remote Privileged Group Enumeration, PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Rclone Process, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Finger Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Eventlog Cleared, Secure Deletion With SDelete, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, WMI DLL Loaded Via Office, Invoke-TheHash Commandlets, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery, Privileged AD Builtin Group Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution, DCSync Attack"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, AD Object WriteDAC Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Antivirus Web Shell Detection"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy, Audit CVE Event"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Scripting In A WMI Consumer, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Privileged Operation, SCM Database Handle Failure, PowerView commandlets 2"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
index 67985b6300..fe7361f8a2 100644
--- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
index a4f6d05bb8..b1364281e2 100644
--- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Python HTTP Server, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, FLTMC command usage, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, AMSI Deactivation Using Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, NjRat Registry Changes, Suspicious desktop.ini Action"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Trickbot Malware Activity, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Mshta Suspicious Child Process, Microsoft Office Creating Suspicious File, Sysprep On AppData Folder, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Logonui Wrong Parent, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Logonui Wrong Parent, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, Microsoft Defender Antivirus Threat Detected, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Exfiltration Via Pscp, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Windows Update LolBins, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Control Process, IcedID Execution Using Excel, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious DLL Loading By Ordinal, xWizard Execution, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, CertOC Loading Dll, MOFComp Execution, Suspicious Regsvr32 Execution, MavInject Process Injection, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Mshta Suspicious Child Process, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641, Audit CVE Event"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Tampering Detected, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious Outlook Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Office Creating Suspicious File, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, SolarWinds Suspicious File Creation, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Windows Update LolBins, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Wininit Wrong Parent, Microsoft Defender Antivirus Threat Detected, Logonui Wrong Parent, Csrss Child Found, Exfiltration Via Pscp, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Mshta JavaScript Execution, MavInject Process Injection, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Control Process, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regsvr32 Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Explorer Process Executing HTA File, CMSTP Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Audit CVE Event"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
index 44d2ace846..1902690f59 100644
--- a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Sliver DNS Beaconing, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
index bab7d97112..a38db6e14b 100644
--- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Nimbo-C2 User Agent, Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CertOC Loading Dll, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Python HTTP Server, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Python HTTP Server"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, WMIC Uninstall Product, Netsh Port Forwarding, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, MavInject Process Injection, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
index 0e2bd08b4b..6bbb687ea8 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-1147 SharePoint, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
index 63eb743296..febc094aff 100644
--- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
index ab78619a36..534d7e18a2 100644
--- a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Sliver DNS Beaconing, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
index f38a3e0112..e1a540fa73 100644
--- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Nimbo-C2 User Agent, Sliver DNS Beaconing, Python HTTP Server, DNS Tunnel Technique From MuddyWater, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Low Level Rule Detection, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Cobalt Strike Default Beacons Names, HarfangLab EDR Critical Level Rule Detection, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Exploit For CVE-2015-1641, Explorer Process Executing HTA File, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Spawning Script, HarfangLab EDR Critical Level Rule Detection, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Explorer Process Executing HTA File"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, FLTMC command usage, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, NjRat Registry Changes, Suspicious desktop.ini Action"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Trickbot Malware Activity, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Mshta Suspicious Child Process, Microsoft Office Creating Suspicious File, Sysprep On AppData Folder, Python Offensive Tools and Packages, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Blue Mockingbird Malware, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Logonui Wrong Parent, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Logonui Wrong Parent, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, Microsoft Defender Antivirus Threat Detected, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Exfiltration Via Pscp, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Windows Update LolBins, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Control Process, IcedID Execution Using Excel, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious DLL Loading By Ordinal, xWizard Execution, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, CertOC Loading Dll, MOFComp Execution, Suspicious Regsvr32 Execution, MavInject Process Injection, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Mshta Suspicious Child Process, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Hlai Engine Detection, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, HarfangLab EDR Critical Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, HarfangLab EDR Hlai Engine Detection, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names, HarfangLab EDR Medium Level Rule Detection, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious Outlook Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Office Creating Suspicious File, Powershell Web Request, Suspicious Windows Script Execution, Python Offensive Tools and Packages, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, SolarWinds Suspicious File Creation, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Windows Update LolBins, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Wininit Wrong Parent, Microsoft Defender Antivirus Threat Detected, Logonui Wrong Parent, Csrss Child Found, Exfiltration Via Pscp, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Mshta JavaScript Execution, MavInject Process Injection, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Control Process, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regsvr32 Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Explorer Process Executing HTA File, CMSTP Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
index e3144f5fc5..06c873ede8 100644
--- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
index 167a029777..8c27bf2984 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR CorePUA Clean, Download Files From Suspicious TLDs, Sophos EDR CorePUA Detection, Sophos EDR Application Blocked"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Sophos EDR Application Detected, Sophos EDR CorePUA Detection, Sophos EDR CorePUA Clean, Sophos EDR Application Blocked"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
index 655737a84d..37d822faac 100644
--- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
index 2a36911f23..6982609c9a 100644
--- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Comsvcs, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, FLTMC command usage, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, AMSI Deactivation Using Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, NjRat Registry Changes"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Trickbot Malware Activity, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Mshta Suspicious Child Process, Sysprep On AppData Folder, Python Offensive Tools and Packages, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Blue Mockingbird Malware, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Logonui Wrong Parent, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Logonui Wrong Parent, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Exfiltration Via Pscp, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, WMI Persistence Command Line Event Consumer, Windows Update LolBins, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Control Process, IcedID Execution Using Excel, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious DLL Loading By Ordinal, xWizard Execution, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, CertOC Loading Dll, MOFComp Execution, Suspicious Regsvr32 Execution, MavInject Process Injection, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Mshta Suspicious Child Process, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, DNS Tunnel Technique From MuddyWater, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Sliver DNS Beaconing, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, IcedID Execution Using Excel, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, Suspicious DNS Child Process, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious Outlook Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Python Offensive Tools and Packages, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Csrss Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Csrss Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Windows Update LolBins, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Exfiltration Via Pscp, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Mshta JavaScript Execution, MavInject Process Injection, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Control Process, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regsvr32 Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Explorer Process Executing HTA File, CMSTP Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
index 062be9b84e..bb8818e132 100644
--- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Quarantined, Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Terminate"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Cleaned"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
index d67bc6ddb6..ae0742415e 100644
--- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
index 335e50371f..a531b340da 100644
--- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
index 70e2d2659e..b292c2dc21 100644
--- a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid Critical Severity Alert, Tenable Identity Exposure / Alsid High Severity Alert, Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid High Severity Alert, Tenable Identity Exposure / Alsid Critical Severity Alert, Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
index 5db35b1d24..f6bb58bbd6 100644
--- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Suspicious Windows DNS Queries, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Suspicious Windows DNS Queries, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Sliver DNS Beaconing, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
index 8eca30031b..61a04c8b8f 100644
--- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
index b2e822afa5..98a9af3765 100644
--- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Spam But Allowed, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Malware But Allowed, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Spam But Allowed, SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Malware But Allowed, Possible Malicious File Double Extension, Proofpoint TAP Email Classified As Phishing But Allowed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
index c6ef2bd0a4..1fc4797900 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
index be3d4970d0..6dcccb89dd 100644
--- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (Sandboxing), Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (Sandboxing), Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
index d1ce5977e9..bc2f05263a 100644
--- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
index 1e72246c3c..a219457d74 100644
--- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Sliver DNS Beaconing, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
index 8935306763..8ffb23b8c5 100644
--- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Potential DNS Tunnel, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, SELinux Disabling, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, SELinux Disabling, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, ETW Tampering, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Debugging Software Deactivation, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Socat Relaying Socket, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Socat Reverse Shell Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, Sysprep On AppData Folder, Python Offensive Tools and Packages, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Control Panel Items, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Control Process, Explorer Process Executing HTA File, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Socat Relaying Socket, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, SELinux Disabling, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Disabled Service, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, SELinux Disabling, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disabled Service, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Venom Multi-hop Proxy agent detection, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Office Creating Suspicious File, Powershell Web Request, Suspicious Windows Script Execution, Python Offensive Tools and Packages, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Interactive Terminal Spawned via Python, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Mshta JavaScript Execution, xWizard Execution, Suspicious Mshta Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Taskkill Command, CMSTP Execution, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
index f3d011c4ce..f5c1d865b9 100644
--- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Python HTTP Server"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CertOC Loading Dll, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, WMIC Uninstall Product, Netsh Port Forwarding, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, MavInject Process Injection, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
index c13b2c145b..89fa3932da 100644
--- a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
index 271ce8f625..fc1bedf3c8 100644
--- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Secure Mobile Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Secure Mobile Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
index d5c76d2558..b35591d162 100644
--- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
index 833d5e74d5..53a7ff5293 100644
--- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CertOC Loading Dll, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, WMIC Uninstall Product, Netsh Port Forwarding, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, MavInject Process Injection, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
index a779f0579d..81293c0d26 100644
--- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
index 07b13e04d0..40b7545f4b 100644
--- a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Files [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Files [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
index 4d2de42a8e..75662f8c1d 100644
--- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Debugging Software Deactivation, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Sysprep On AppData Folder, Python Offensive Tools and Packages, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Control Panel Items, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Control Process, Explorer Process Executing HTA File, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Python Offensive Tools and Packages, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Mshta JavaScript Execution, xWizard Execution, Suspicious Mshta Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Taskkill Command, CMSTP Execution, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
index 5697dff954..3f242833d2 100644
--- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub New Organization Member, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub New Organization Member, GitHub Outside Collaborator Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub High Risk Configuration Disabled, GitHub Delete Action"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub High Risk Configuration Disabled, GitHub Delete Action"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
index 416d7ad155..dc9ae807ef 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, TEHTRIS EDR Alert"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, TEHTRIS EDR Alert, Aspnet Compiler, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, Sysprep On AppData Folder, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, TEHTRIS EDR Alert, Exfiltration Via Pscp"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Debugging Software Deactivation, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Control Panel Items, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Control Process, Explorer Process Executing HTA File, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, TEHTRIS EDR Alert, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, TEHTRIS EDR Alert, Microsoft Office Creating Suspicious File, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, TEHTRIS EDR Alert, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Mshta JavaScript Execution, xWizard Execution, Suspicious Mshta Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Taskkill Command, CMSTP Execution, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
index dc3a3b7a28..4719676220 100644
--- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Audit CVE Event, Antivirus Password Dumper Detection, Download Files From Suspicious TLDs, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Antivirus Exploitation Framework Detection, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Cobalt Strike Default Beacons Names, Suspicious DLL Loaded Via Office Applications, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, HarfangLab EDR Critical Level Rule Detection, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Suspicious DLL Loaded Via Office Applications, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, HarfangLab EDR Critical Level Rule Detection, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Python HTTP Server, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Suspicious LDAP-Attributes Used, Chafer (APT 39) Activity, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Covenant Default HTTP Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Sliver DNS Beaconing, Python HTTP Server, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, TUN/TAP Driver Installation, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname, Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Password Dumper Activity On LSASS, Active Directory Database Dump Via Ntdsutil, Rubeus Tool Command-line, Unsigned Image Loaded Into LSASS Process, Copying Sensitive Files With Credential Data, DCSync Attack, LSASS Memory Dump, Active Directory Replication from Non Machine Account, NTDS.dit File In Suspicious Directory, Load Of dbghelp/dbgcore DLL From Suspicious Process, Lsass Access Through WinRM, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Malicious Service Installations, DPAPI Domain Backup Key Extraction, SAM Registry Hive Handle Request, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, RedMimicry Winnti Playbook Dropped File, HackTools Suspicious Names, HackTools Suspicious Process Names In Command Line, LSASS Memory Dump File Creation, Credential Dumping By LaZagne, Cmdkey Cached Credentials Recon, LSASS Access From Non System Account, Dumpert LSASS Process Dumper, Suspicious SAM Dump, Mimikatz LSASS Memory Access, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NetNTLM Downgrade Attack, Mimikatz Basic Commands, Cred Dump Tools Dropped Files, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Transfering Files With Credential Data Via Network Shares, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Ryuk Ransomware Command Line, AMSI Deactivation Using Registry Key, TrustedInstaller Impersonation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Malware Protection Engine Crash, Suspicious PROCEXP152.sys File Created In Tmp, Windows Defender Deactivation Using PowerShell Script, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Configuration Changed, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Disable Security Events Logging Adding Reg Key MiniNt, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Python Opening Ports, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Powershell AMSI Bypass, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Microsoft Defender Antivirus Disable SecurityHealth, FLTMC command usage, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspect Svchost Memory Access, Ryuk Ransomware Command Line, AMSI Deactivation Using Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, TrustedInstaller Impersonation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Windows Defender Credential Guard, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Malware Protection Engine Crash, Suspicious PROCEXP152.sys File Created In Tmp, Windows Defender Deactivation Using PowerShell Script, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Microsoft Defender Antivirus Configuration Changed, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Process Herpaderping, Suspicious Process Requiring DLL Starts Without DLL, Smss Wrong Parent, Malicious Named Pipe, Process Hollowing Detection, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, CreateRemoteThread Common Process Injection, Svchost Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Cobalt Strike Named Pipes, Taskhost Wrong Parent, Dynwrapx Module Loading, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Svchost Modification, Autorun Keys Modification, Narrator Feedback-Hub Persistence, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, NjRat Registry Changes, DLL Load via LSASS Registry Key, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, PowerShell - NTFS Alternate Data Stream, Suspicious DLL Loaded Via Office Applications, Detection of default Mimikatz banner, Mustang Panda Dropper, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Turla Named Pipes, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Aspnet Compiler, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, In-memory PowerShell, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Scripting In A WMI Consumer, WMImplant Hack Tool, Exploiting SetupComplete.cmd CVE-2019-1378, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, WMI DLL Loaded Via Office, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, AutoIt3 Execution From Suspicious Folder, PowerShell Malicious PowerShell Commandlets, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Invoke-TheHash Commandlets, Suspicious Outlook Child Process, Mshta Suspicious Child Process, Microsoft Office Creating Suspicious File, FromBase64String Command Line, Sysprep On AppData Folder, Alternate PowerShell Hosts Pipe, Suspicious Windows Script Execution, Malicious PowerShell Keywords, PowerShell Credential Prompt, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Eventlog Cleared, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory User Backdoors, Active Directory Replication User Backdoor, Add User to Privileged Group, User Added to Local Administrators, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, Active Directory Delegate To KRBTGT Service, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, AD Object WriteDAC Access, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Linux Shared Lib Injection Via Ldso Preload, Suspicious DLL side loading from ProgramData, Dynamic Linker Hijacking From Environment Variable, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Chafer (APT 39) Activity, Logonui Wrong Parent, StoneDrill Service Install, Wmiprvse Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Cobalt Strike Default Service Creation Usage, Lsass Wrong Parent, Smss Wrong Parent, Malicious Service Installations, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, APT29 Fake Google Update Service Install, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Chafer (APT 39) Activity, Logonui Wrong Parent, StoneDrill Service Install, Wmiprvse Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Cobalt Strike Default Service Creation Usage, Lsass Wrong Parent, Smss Wrong Parent, Malicious Service Installations, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, APT29 Fake Google Update Service Install, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Smbexec.py Service Installation, Wmiprvse Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Searchindexer Wrong Parent, Metasploit PSExec Service Creation, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Malicious Service Installations, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Suspicious PsExec Execution, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Credential Dumping Tools Service Execution, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, Microsoft Defender Antivirus Threat Detected, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Smbexec.py Service Installation, Wmiprvse Wrong Parent, Gpscript Suspicious Parent, Winword wrong parent, Searchindexer Wrong Parent, Metasploit PSExec Service Creation, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Malicious Service Installations, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Exfiltration Via Pscp, Suspicious PsExec Execution, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Credential Dumping Tools Service Execution, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, WMI Persistence Command Line Event Consumer, Windows Update LolBins, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 1, NlTest Usage, PowerView commandlets 2, Trickbot Malware Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cred Dump Tools Dropped Files, Lsass Access Through WinRM, Password Dumper Activity On LSASS, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, LSASS Memory Dump File Creation, Unsigned Image Loaded Into LSASS Process, Credential Dumping-Tools Common Named Pipes, Credential Dumping By LaZagne, LSASS Access From Non System Account, Dumpert LSASS Process Dumper, Mimikatz LSASS Memory Access, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Dropped File, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Copying Sensitive Files With Credential Data, Suspicious SAM Dump, SAM Registry Hive Handle Request, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Active Directory Database Dump Via Ntdsutil, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Control Process, IcedID Execution Using Excel, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Desktopimgdownldr Execution, Suspicious DLL Loading By Ordinal, xWizard Execution, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious Mshta Execution, CertOC Loading Dll, MOFComp Execution, Suspicious Regsvr32 Execution, MavInject Process Injection, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, Dynwrapx Module Loading"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Dynwrapx Module Loading"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Detection of default Mimikatz banner, Turla Named Pipes, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Downgrade Attack, In-memory PowerShell, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, WMImplant Hack Tool, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, PowerShell Invoke Expression With Registry, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Invoke-TheHash Commandlets, FromBase64String Command Line, Mshta Suspicious Child Process, Alternate PowerShell Hosts Pipe, Malicious PowerShell Keywords, PowerShell Credential Prompt"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, FlowCloud Malware, Chafer (APT 39) Activity, Ursnif Registry Key, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, Disable Security Events Logging Adding Reg Key MiniNt, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, RDP Port Change Using Powershell, Remote Registry Management Using Reg Utility, OceanLotus Registry Activity, NetNTLM Downgrade Attack"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, SysKey Registry Keys Access"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Denied Access To Remote Desktop, Admin User RDP Remote Logon, User Added to Local Administrators, Failed Logon Source From Public IP Addresses, Account Tampering - Suspicious Failed Logon Reasons"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Lsass Access Through WinRM, Lateral Movement - Remote Named Pipe, Denied Access To Remote Desktop, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, RDP Login From Localhost, Admin Share Access, MMC20 Lateral Movement, MMC Spawning Windows Shell, Protected Storage Service Access, RDP Port Change Using Powershell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, WMI DLL Loaded Via Office, Suspicious DLL Loaded Via Office Applications, Microsoft Office Creating Suspicious File, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Python Opening Ports, Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Secure Deletion With SDelete"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 1, Remote Privileged Group Enumeration, AD User Enumeration, PowerView commandlets 2"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Creation or Modification of a GPO Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Blue Mockingbird Malware, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Remote Task Creation Via ATSVC Named Pipe, Creation or Modification of a GPO Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection, Possible Replay Attack, Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Lateral Movement - Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Admin Share Access, Protected Storage Service Access"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI DLL Loaded Via Office, WMI Install Of Binary, Wmic Process Call Creation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery, Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, DCSync Attack"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy, Audit CVE Event, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Event Subscription, Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Privileged Operation, PowerView commandlets 2, PowerView commandlets 1, SCM Database Handle Failure"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Download Files From Suspicious TLDs, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Audit CVE Event, Suspicious HWP Child Process, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Download Files From Non-Legitimate TLDs, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, HarfangLab EDR Hlai Engine Detection, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names, HarfangLab EDR Medium Level Rule Detection, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Download Files From Non-Legitimate TLDs, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, HarfangLab EDR Hlai Engine Detection, Microsoft Office Creating Suspicious File, Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, HarfangLab EDR Medium Level Rule Detection, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Microsoft Office Spawning Script"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Suspicious LDAP-Attributes Used, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, Sliver DNS Beaconing, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Chafer (APT 39) Activity"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Chafer (APT 39) Activity"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Finger Usage"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Suspicious TOR Gateway, Netsh Port Forwarding"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Execution From Suspicious Folder, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Malicious Service Installations, Cmdkey Cached Credentials Recon, Active Directory Replication from Non Machine Account, Active Directory Database Dump Via Ntdsutil, NetNTLM Downgrade Attack, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, LSASS Access From Non System Account, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, DCSync Attack, Mimikatz LSASS Memory Access, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, LSASS Memory Dump File Creation, Lsass Access Through WinRM, HackTools Suspicious Names, Copying Browser Files With Credentials, Dumpert LSASS Process Dumper, NTDS.dit File Interaction Through Command Line, Suspicious SAM Dump, Password Dumper Activity On LSASS, SAM Registry Hive Handle Request, Cred Dump Tools Dropped Files, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, Credential Dumping By LaZagne, Load Of dbghelp/dbgcore DLL From Suspicious Process, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, DPAPI Domain Backup Key Extraction, Mimikatz Basic Commands, Unsigned Image Loaded Into LSASS Process, HackTools Suspicious Process Names In Command Line, Transfering Files With Credential Data Via Network Shares, RedMimicry Winnti Playbook Dropped File, Process Memory Dump Using Createdump, LSASS Memory Dump"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, NetNTLM Downgrade Attack, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable Services, Raccine Uninstall, Microsoft Malware Protection Engine Crash, Disable Windows Defender Credential Guard, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Configuration Changed, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Disable SecurityHealth, WMIC Uninstall Product, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, ETW Tampering, Clear EventLogs Through CommandLine, NetNTLM Downgrade Attack, FLTMC command usage, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable Services, Raccine Uninstall, Microsoft Malware Protection Engine Crash, Disable Windows Defender Credential Guard, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Configuration Changed, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Disable SecurityHealth, WMIC Uninstall Product, Suspicious PROCEXP152.sys File Created In Tmp, Python Opening Ports, Disable Security Events Logging Adding Reg Key MiniNt, Fail2ban Unban IP, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspect Svchost Memory Access, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Windows Firewall Changes, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Tampering Detected, Netsh Allowed Python Program, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Svchost Wrong Parent, Cobalt Strike Named Pipes, Process Herpaderping, Taskhost Wrong Parent, Malicious Named Pipe, Searchprotocolhost Wrong Parent, Dynwrapx Module Loading, Wsmprovhost Wrong Parent, Explorer Wrong Parent, Taskhostw Wrong Parent, Process Hollowing Detection, Address Space Layout Randomization (ASLR) Alteration, CreateRemoteThread Common Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, DLL Load via LSASS Registry Key, NjRat Registry Changes, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Powershell Winlogon Helper DLL, Svchost Modification, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, PowerShell - NTFS Alternate Data Stream, Venom Multi-hop Proxy agent detection, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, Suspicious CodePage Switch with CHCP, Suspicious XOR Encoded PowerShell Command Line, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, Detection of default Mimikatz banner, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious VBS Execution Parameter, In-memory PowerShell, WMIC Uninstall Product, Phorpiex DriveMgr Command, AutoIt3 Execution From Suspicious Folder, Suspicious PowerShell Invocations - Generic, Alternate PowerShell Hosts Pipe, PowerShell Malicious PowerShell Commandlets, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, WMI DLL Loaded Via Office, DNS Exfiltration and Tunneling Tools Execution, Suspicious Outlook Child Process, Suspicious Scripting In A WMI Consumer, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Office Creating Suspicious File, Powershell Web Request, PowerShell Credential Prompt, Suspicious Windows Script Execution, WMImplant Hack Tool, Turla Named Pipes, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Eventlog Cleared, Secure Deletion With SDelete, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Active Directory Replication User Backdoor, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, Active Directory Delegate To KRBTGT Service, Mimikatz Basic Commands, Add User to Privileged Group, Active Directory User Backdoors, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, AD Object WriteDAC Access, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, Windows Registry Persistence COM Search Order Hijacking, Linux Shared Lib Injection Via Ldso Preload, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Malicious Service Installations, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Chafer (APT 39) Activity, StoneDrill Service Install, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Gpscript Suspicious Parent, Logonui Wrong Parent, Csrss Child Found, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, Csrss Wrong Parent, APT29 Fake Google Update Service Install, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Malicious Service Installations, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Chafer (APT 39) Activity, StoneDrill Service Install, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Gpscript Suspicious Parent, Logonui Wrong Parent, Csrss Child Found, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, Csrss Wrong Parent, APT29 Fake Google Update Service Install, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Malicious Service Installations, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Credential Dumping Tools Service Execution, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Smbexec.py Service Installation, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Wininit Wrong Parent, Suspicious PsExec Execution, Gpscript Suspicious Parent, Logonui Wrong Parent, Csrss Child Found, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Malicious Service Installations, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Credential Dumping Tools Service Execution, SolarWinds Suspicious File Creation, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Smbexec.py Service Installation, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Windows Update LolBins, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Wininit Wrong Parent, Suspicious PsExec Execution, Microsoft Defender Antivirus Threat Detected, Gpscript Suspicious Parent, Logonui Wrong Parent, Csrss Child Found, Exfiltration Via Pscp, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, Mimikatz LSASS Memory Access, Credential Dumping By LaZagne, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Memory Dump File Creation, Lsass Access Through WinRM, Password Dumper Activity On LSASS, Unsigned Image Loaded Into LSASS Process, LSASS Access From Non System Account, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, LSASS Memory Dump, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, MOFComp Execution, Dynwrapx Module Loading, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Control Process, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regsvr32 Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Explorer Process Executing HTA File, CMSTP Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Dynwrapx Module Loading, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading, CreateRemoteThread Common Process Injection"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious PowerShell Keywords, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell - NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, PowerShell Downgrade Attack, Detection of default Mimikatz banner, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, In-memory PowerShell, PowerShell Malicious PowerShell Commandlets, Suspicious PowerShell Invocations - Generic, Alternate PowerShell Hosts Pipe, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, WMImplant Hack Tool, Turla Named Pipes, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Blue Mockingbird Malware, Disable Security Events Logging Adding Reg Key MiniNt, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, DHCP Callout DLL Installation, FlowCloud Malware, RDP Port Change Using Powershell, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, Remote Registry Management Using Reg Utility, Chafer (APT 39) Activity"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, SysKey Registry Keys Access, Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Admin User RDP Remote Logon, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Denied Access To Remote Desktop"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Denied Access To Remote Desktop, RDP Login From Localhost"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, RDP Login From Localhost, Lateral Movement - Remote Named Pipe, Lsass Access Through WinRM, Denied Access To Remote Desktop, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, MMC20 Lateral Movement, MMC Spawning Windows Shell, RDP Port Change Using Powershell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Python Opening Ports, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan, Audit CVE Event"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Phosphorus (APT35) Exchange Discovery, AD User Enumeration, Remote Privileged Group Enumeration, PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, WMI DLL Loaded Via Office, Invoke-TheHash Commandlets, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery, Privileged AD Builtin Group Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution, DCSync Attack"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Svchost Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy, Audit CVE Event"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Scripting In A WMI Consumer, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Privileged Operation, SCM Database Handle Failure, PowerView commandlets 2"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
index e3313ef5b1..18af4ea392 100644
--- a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Debugging Software Deactivation, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Sysprep On AppData Folder, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Control Panel Items, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Control Process, Explorer Process Executing HTA File, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Mshta JavaScript Execution, xWizard Execution, Suspicious Mshta Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Taskkill Command, CMSTP Execution, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
index 7639561c16..a4f3243831 100644
--- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
index 27a7319084..63fd06b460 100644
--- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, FLTMC command usage, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Trickbot Malware Activity, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Mshta Suspicious Child Process, Microsoft Office Creating Suspicious File, Sysprep On AppData Folder, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Rare Logonui Child Found, Explorer Wrong Parent, New Service Creation, Rare Lsass Child Found, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Csrss Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Rare Logonui Child Found, Explorer Wrong Parent, New Service Creation, Rare Lsass Child Found, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Csrss Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Rare Logonui Child Found, Suspicious DNS Child Process, Usage Of Sysinternals Tools, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Csrss Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Rare Logonui Child Found, Suspicious DNS Child Process, Usage Of Sysinternals Tools, Rare Lsass Child Found, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SolarWinds Suspicious File Creation, Windows Update LolBins, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Exfiltration Via Pscp, Csrss Child Found"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Control Process, IcedID Execution Using Excel, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious DLL Loading By Ordinal, xWizard Execution, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, CertOC Loading Dll, MOFComp Execution, Suspicious Regsvr32 Execution, MavInject Process Injection, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Mshta Suspicious Child Process, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious Outlook Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Office Creating Suspicious File, Powershell Web Request, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Rare Lsass Child Found, Rare Logonui Child Found, Winword wrong parent, Searchprotocolhost Child Found, New Service Creation, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Rare Lsass Child Found, Rare Logonui Child Found, Winword wrong parent, Searchprotocolhost Child Found, New Service Creation, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Rare Lsass Child Found, Usage Of Sysinternals Tools, Rare Logonui Child Found, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, Winword wrong parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, PsExec Process, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Rare Lsass Child Found, Usage Of Sysinternals Tools, Rare Logonui Child Found, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, Winword wrong parent, Exfiltration Via Pscp, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, PsExec Process, Windows Update LolBins, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Mshta JavaScript Execution, MavInject Process Injection, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Control Process, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regsvr32 Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Explorer Process Executing HTA File, CMSTP Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
index 404353e60d..b3c031e495 100644
--- a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR) [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Microsoft Office Creating Suspicious File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Explorer Process Executing HTA File"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Debugging Software Deactivation, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, NjRat Registry Changes, Suspicious desktop.ini Action"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, Sysprep On AppData Folder, Python Offensive Tools and Packages, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Control Panel Items, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Control Process, Explorer Process Executing HTA File, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR) [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Office Creating Suspicious File, Powershell Web Request, Suspicious Windows Script Execution, Python Offensive Tools and Packages, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Mshta JavaScript Execution, xWizard Execution, Suspicious Mshta Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Taskkill Command, CMSTP Execution, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
index 9684454bfc..831ed7b001 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Cybereason EDR Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Cybereason EDR Alert, Aspnet Compiler"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Cybereason EDR Alert"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Cybereason EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Cybereason EDR Alert, Microsoft Office Creating Suspicious File, Aspnet Compiler"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Cybereason EDR Alert, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
index 8aa8fa0ff8..3dcd8b5c35 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope Transaction Events [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope Transaction Events [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
index 41a7208fcd..9fc5eb36f6 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
index da072d590a..e985e18dcf 100644
--- a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Covenant Default HTTP Beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Python HTTP Server, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, PowerCat Function Loading"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CertOC Loading Dll, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Python HTTP Server, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Nimbo-C2 User Agent, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Sliver DNS Beaconing, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, PowerCat Function Loading"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, WMIC Uninstall Product, Netsh Port Forwarding, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Windows Firewall Changes, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, WMIC Uninstall Product, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, MavInject Process Injection, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
index 186abeb353..1190886ffa 100644
--- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
index 036608c584..552a765083 100644
--- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Debugging Software Deactivation, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, Sysprep On AppData Folder, Python Offensive Tools and Packages, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Control Panel Items, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Control Process, Explorer Process Executing HTA File, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Office Creating Suspicious File, Powershell Web Request, Suspicious Windows Script Execution, Python Offensive Tools and Packages, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Mshta JavaScript Execution, xWizard Execution, Suspicious Mshta Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Taskkill Command, CMSTP Execution, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
index 99457b05f3..be475e2c57 100644
--- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
index 7276f66272..136174fb1e 100644
--- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix Network Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, Trellix Network Security Threat Blocked, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Trellix Network Security Threat Notified"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix Network Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Trellix Network Security Threat Blocked, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Trellix Network Security Threat Notified, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
index 139b043fc7..81b0600a3f 100644
--- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
index 36b0d79638..612dd0a4fc 100644
--- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Potential DNS Tunnel, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Python HTTP Server, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disabled Base64 Encoded, SELinux Disabling, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, AMSI Deactivation Using Registry Key, TrustedInstaller Impersonation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Defender Deactivation Using PowerShell Script, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disabled Base64 Encoded, SELinux Disabling, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Disabled Service, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Powershell AMSI Bypass, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Microsoft Defender Antivirus Disable SecurityHealth, FLTMC command usage, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, AMSI Deactivation Using Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, TrustedInstaller Impersonation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Windows Defender Deactivation Using PowerShell Script, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, PowerShell - NTFS Alternate Data Stream, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Aspnet Compiler, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, WMImplant Hack Tool, Exploiting SetupComplete.cmd CVE-2019-1378, Trickbot Malware Activity, Microsoft Office Spawning Script, Interactive Terminal Spawned via Python, Socat Relaying Socket, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, Elise Backdoor, Socat Reverse Shell Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, AutoIt3 Execution From Suspicious Folder, PowerShell Malicious PowerShell Commandlets, Suspicious VBS Execution Parameter, PowerShell Invoke Expression With Registry, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Invoke-TheHash Commandlets, Suspicious Outlook Child Process, Mshta Suspicious Child Process, Microsoft Office Creating Suspicious File, FromBase64String Command Line, Sysprep On AppData Folder, Python Offensive Tools and Packages, Suspicious Windows Script Execution, Malicious PowerShell Keywords, PowerShell Credential Prompt, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, NjRat Registry Changes, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Add User to Privileged Group, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Cron Files Alteration, Blue Mockingbird Malware, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Chafer (APT 39) Activity, Logonui Wrong Parent, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Chafer (APT 39) Activity, Logonui Wrong Parent, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, New Service Creation, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, Microsoft Defender Antivirus Threat Detected, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Exfiltration Via Pscp, Winrshost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Windows Update LolBins, Csrss Child Found, Wininit Wrong Parent"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 1, NlTest Usage, PowerView commandlets 2, Trickbot Malware Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Control Process, IcedID Execution Using Excel, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious DLL Loading By Ordinal, xWizard Execution, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, CertOC Loading Dll, MOFComp Execution, Suspicious Regsvr32 Execution, MavInject Process Injection, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell - NTFS Alternate Data Stream, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, WMImplant Hack Tool, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, PowerShell Invoke Expression With Registry, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Invoke-TheHash Commandlets, FromBase64String Command Line, Mshta Suspicious Child Process, Malicious PowerShell Keywords, PowerShell Credential Prompt"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Chafer (APT 39) Activity, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, PowerShell Data Compressed, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, RDP Login From Localhost, MMC Spawning Windows Shell"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Suspicious HWP Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line, Rubeus Register New Logon Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Socat Relaying Socket, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Names, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, Microsoft Defender Antivirus Disable Services, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Disable SecurityHealth, SELinux Disabling, WMIC Uninstall Product, Fail2ban Unban IP, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Disabled Service, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage, Microsoft Defender Antivirus Disable Services, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Microsoft Defender Antivirus Disable SecurityHealth, SELinux Disabling, WMIC Uninstall Product, Fail2ban Unban IP, TrustedInstaller Impersonation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disabled Service, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Powershell AMSI Bypass, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, Windows Firewall Changes, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Tampering Detected, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, PowerShell - NTFS Alternate Data Stream, Venom Multi-hop Proxy agent detection, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, PowerShell Invoke Expression With Registry, Suspicious CodePage Switch with CHCP, Suspicious XOR Encoded PowerShell Command Line, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Phorpiex DriveMgr Command, PowerShell Malicious PowerShell Commandlets, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Suspicious Outlook Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Office Creating Suspicious File, Powershell Web Request, PowerShell Credential Prompt, Suspicious Windows Script Execution, WMImplant Hack Tool, Python Offensive Tools and Packages, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, Interactive Terminal Spawned via Python, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Socat Reverse Shell Detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Chafer (APT 39) Activity, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Chafer (APT 39) Activity, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Wininit Wrong Parent, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, SolarWinds Suspicious File Creation, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Windows Update LolBins, Taskhostw Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Wininit Wrong Parent, Microsoft Defender Antivirus Threat Detected, Logonui Wrong Parent, Csrss Child Found, Exfiltration Via Pscp, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Domain Trust Discovery Through LDAP, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Mshta JavaScript Execution, MavInject Process Injection, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Control Process, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regsvr32 Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Explorer Process Executing HTA File, CMSTP Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious PowerShell Keywords, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell - NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, PowerShell Downgrade Attack, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, Suspicious PowerShell Invocations - Generic, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Credential Prompt, Powershell Web Request, WMImplant Hack Tool, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, Invoke-TheHash Commandlets, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity, Chafer (APT 39) Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Tampering - Suspicious Failed Logon Reasons, Admin User RDP Remote Logon, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Invoke-TheHash Commandlets, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Login From Localhost, MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious HWP Child Process"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
index a08d4102c1..8ae84c7089 100644
--- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS New Country, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) AtpDetection, Possible Malicious File Double Extension, Microsoft 365 (Office 365) MCAS Repeated Failed Login, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Suspicious Double Extension, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS New Country, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Microsoft 365 Device Code Authentication, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Suspicious Double Extension, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Suspicious Double Extension, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Risky IP, Possible Malicious File Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft Defender for Office 365 High Severity AIR Alert, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) MCAS Detection Velocity, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Safelinks Disabled, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) DLP Policy Removed"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Failed Logon Source From Public IP Addresses, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Microsoft 365 Device Code Authentication, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
index 3975dd42e6..38d5a41fe4 100644
--- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
index 9ee228384a..e6c993991a 100644
--- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
index 37f488447d..79e1de4f4f 100644
--- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail IAM ChangePassword, AWS CloudTrail Important Change, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Suspended"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Policy Changed, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail Route 53 Domain Transfer Lock Disabled"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM ChangePassword, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Disable MFA, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail Important Change, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Detector Suspended"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Important Change, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Remove Flow logs, AWS CloudTrail Disable MFA, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail GuardDuty Disruption"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail IAM Policy Changed, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Important Change, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail Disable MFA, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM UpdateSAMLProvider"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
index 1d6df9218a..b174193d17 100644
--- a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
index 93f5a975fd..b51769b2fb 100644
--- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json
index 4fb4b658d8..e70196a10f 100644
--- a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RDP Sensitive Settings Changed, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
index b394add607..265be32330 100644
--- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Bazar Loader DGA (Domain Generation Algorithm), Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Sliver DNS Beaconing, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
index 9ce4183fca..dec1546740 100644
--- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alert"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alert"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
index cd428c200d..7ebefe337e 100644
--- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
index 140249929f..43175beed4 100644
--- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Scam Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Spam Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (CEO Fraud) Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Malware Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365 And Not Blocked, Scam Detected By Vade For M365, Malware Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (CEO Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Spam Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
index 9c486b336f..79afe83f13 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Impersonation Access, Okta Admin Privilege Granted, Okta User Account Deactivated, Okta Application modified, Okta Application deleted"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Modified, Okta Network Zone Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Security Threat Configuration Updated, Okta Network Zone Deactivated, Okta Blacklist Manipulations, Okta Network Zone Modified, Okta Network Zone Deleted, Okta MFA Disabled"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Application modified, Okta Application deleted, Okta User Account Deactivated, Okta Admin Privilege Granted, Okta User Impersonation Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Deactivated, Okta Network Zone Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Security Threat Configuration Updated, Okta Network Zone Modified, Okta MFA Disabled, Okta Network Zone Deleted, Okta Blacklist Manipulations"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
index d9e1df7408..9567e90942 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, SELinux Disabling, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, SELinux Disabling, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, ETW Tampering, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Debugging Software Deactivation, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Socat Relaying Socket, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Socat Reverse Shell Detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, Sysprep On AppData Folder, Python Offensive Tools and Packages, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Control Panel Items, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, Suspicious Mshta Execution, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, Suspicious Control Process, Explorer Process Executing HTA File, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, SELinux Disabling, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Disabled Service, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, ETW Tampering, Clear EventLogs Through CommandLine, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, SELinux Disabling, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Disabled Service, Dism Disabling Windows Defender, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Office Creating Suspicious File, Powershell Web Request, Suspicious Windows Script Execution, Python Offensive Tools and Packages, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Interactive Terminal Spawned via Python, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Mshta JavaScript Execution, xWizard Execution, Suspicious Mshta Execution, MavInject Process Injection, Empire Monkey Activity, Suspicious Windows Installer Execution, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Taskkill Command, CMSTP Execution, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
index e18bed3ae6..4c19108107 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Aspnet Compiler"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-1147 SharePoint, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
index 1bf3bd4687..75af8121e9 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
index 2c7fa2f878..f35b0cf838 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
index 854350f21a..e5bed12f4b 100644
--- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, LokiBot Default C2 URL, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-21985 VMware vCenter, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
index e6d78972da..fc0b02ea7c 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Stormshield Ses Critical Not Block, Stormshield Ses Critical Block, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Stormshield Ses Emergency Block, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, IcedID Execution Using Excel, Winword Document Droppers"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Windows Credential Editor Registry Key, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Suspicious Driver Loaded, ETW Tampering, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allowed Python Program, Fail2ban Unban IP, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, FLTMC command usage, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Netsh Allow Command, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Windows Firewall Changes, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Aspnet Compiler, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, Lazarus Loaders, Powershell Web Request, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Trickbot Malware Activity, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Default Encoding To UTF-8 PowerShell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious Outlook Child Process, Mshta Suspicious Child Process, Sysprep On AppData Folder, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage, Linux Suspicious Search, Outlook Registry Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Blue Mockingbird Malware, STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Logonui Wrong Parent, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, New Service Creation, Rare Lsass Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Logonui Wrong Parent, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, New Service Creation, Rare Lsass Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Csrss Child Found, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, Usage Of Procdump With Common Arguments, Logonui Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Winword wrong parent, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Lsass Wrong Parent, Smss Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Csrss Wrong Parent, Exfiltration Via Pscp, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Child Found, Suspicious DNS Child Process, Rare Lsass Child Found, Winlogon wrong parent, Taskhost Wrong Parent, Windows Update LolBins, Csrss Child Found, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, Suspicious Windows Installer Execution, PowerShell Execution Via Rundll32, Suspicious Control Process, IcedID Execution Using Excel, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious DLL Loading By Ordinal, xWizard Execution, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, CertOC Loading Dll, MOFComp Execution, Suspicious Regsvr32 Execution, MavInject Process Injection, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Mshta Suspicious Child Process, Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, MalwareBytes Uninstallation, Elise Backdoor, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, IcedID Execution Using Excel, Suspicious Outlook Child Process, Stormshield Ses Critical Not Block, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641, Stormshield Ses Critical Block, Stormshield Ses Emergency Block"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers, Exploit For CVE-2015-1641"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Opening, Package Manager Alteration, ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage, Raccine Uninstall, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, WMIC Uninstall Product, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Dism Disabling Windows Defender, Netsh Program Allowed With Suspicious Location, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: QakBot Process Creation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Sysprep On AppData Folder, Linux Bash Reverse Shell, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Aspnet Compiler, Generic-reverse-shell-oneliner, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Suspicious VBS Execution Parameter, WMIC Uninstall Product, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious Outlook Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Explorer Wrong Parent, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Child Found, New Service Creation, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Taskhostw Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Logonui Wrong Parent, Csrss Child Found, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Windows Update LolBins, Taskhostw Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Searchprotocolhost Child Found, Logonui Wrong Parent, Csrss Child Found, Exfiltration Via Pscp, SolarWinds Wrong Child Process, Csrss Wrong Parent, PsExec Process, Winlogon wrong parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Mshta JavaScript Execution, MavInject Process Injection, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Control Process, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, xWizard Execution, Suspicious Mshta Execution, Suspicious Regsvr32 Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Explorer Process Executing HTA File, CMSTP Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Powershell Web Request, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Allowed Python Program, Netsh RDP Port Opening, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, WMI Persistence Script Event Consumer File Write, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
index f835d18c63..05db6c7d95 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudFront [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudFront [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
index 24cd277a7d..bcc9a545ab 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
@@ -1,7 +1,13 @@
-Changelog _last update on 2024-03-18_
+Changelog _last update on 2024-03-22_
## Changelog
+### Remote Task Creation Via ATSVC Named Pipe
+ - 21/03/2024 - minor - change filter to ACL hex value
+
+### Remote Service Activity Via SVCCTL Named Pipe
+ - 21/03/2024 - minor - change filter to ACL hex value and adapt effort
+
### Microsoft 365 Suspicious Inbox Rule
- 13/03/2024 - minor - Add another suspicious folder.
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
index f69e6b3603..b4545adf12 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Rules catalog includes **841 built-in detection rules** ([_last update on 2024-03-18_](rules_changelog.md)).
+Rules catalog includes **849 built-in detection rules** ([_last update on 2024-03-22_](rules_changelog.md)).
## Reconnaissance
**Gather Victim Network Information**
@@ -46,6 +46,14 @@ Rules catalog includes **841 built-in detection rules** ([_last update on 2024-0
- **Effort:** advanced
+**Gather Victim Host Information**
+
+??? abstract "Wmic Suspicious Commands"
+
+ Detects suspicious commands used by the process wmic to get informations on the system.
+
+ - **Effort:** advanced
+
**Active Scanning**
??? abstract "Burp Suite Tool Detected"
@@ -1303,6 +1311,10 @@ Rules catalog includes **841 built-in detection rules** ([_last update on 2024-0
- **Effort:** intermediate
+ - **Changelog:**
+
+ - 21/03/2024 - minor - change filter to ACL hex value
+
??? abstract "STRRAT Scheduled Task"
Detect STRRAT when it achieves persistence by creating a scheduled task. STRRAT is a Java-based stealer and remote backdoor, it establishes persistence using this specific command line: 'cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SAMPLENAME.jar"'
@@ -2551,6 +2563,12 @@ Rules catalog includes **841 built-in detection rules** ([_last update on 2024-0
- **Effort:** intermediate
+??? abstract "Google Workspace Anomaly Downloads"
+
+ Detects a large number of downloads.
+
+ - **Effort:** advanced
+
??? abstract "HTA Infection Chains"
Detect the creation of a ZIP and HTA file as it is often used in infection chains. Furthermore it also detects the use of suspicious processes launched by explorer.exe combined with the creation of an HTA file, since it is also often used in infection chains (LNK - HTA for instance).
@@ -3926,6 +3944,10 @@ Rules catalog includes **841 built-in detection rules** ([_last update on 2024-0
- **Effort:** intermediate
+ - **Changelog:**
+
+ - 21/03/2024 - minor - change filter to ACL hex value
+
??? abstract "STRRAT Scheduled Task"
Detect STRRAT when it achieves persistence by creating a scheduled task. STRRAT is a Java-based stealer and remote backdoor, it establishes persistence using this specific command line: 'cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SAMPLENAME.jar"'
@@ -5138,6 +5160,10 @@ Rules catalog includes **841 built-in detection rules** ([_last update on 2024-0
- **Effort:** intermediate
+ - **Changelog:**
+
+ - 21/03/2024 - minor - change filter to ACL hex value
+
??? abstract "STRRAT Scheduled Task"
Detect STRRAT when it achieves persistence by creating a scheduled task. STRRAT is a Java-based stealer and remote backdoor, it establishes persistence using this specific command line: 'cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SAMPLENAME.jar"'
@@ -9158,6 +9184,7 @@ Rules catalog includes **841 built-in detection rules** ([_last update on 2024-0
- **Changelog:**
+ - 21/03/2024 - minor - Adding similarity strategy to reduce alerts creation.
- 22/01/2024 - minor - Removing a file extension to allow broader detection.
- 16/11/2023 - minor - Changing effort level and adding filter to reduce false positives.
- 03/07/2023 - minor - Added french words for the command lines.
@@ -9827,8 +9854,12 @@ Rules catalog includes **841 built-in detection rules** ([_last update on 2024-0
Detects remote service activity via remote access to the svcctl named pipe
- - **Effort:** advanced
+ - **Effort:** master
+
+ - **Changelog:**
+ - 21/03/2024 - minor - change filter to ACL hex value and adapt effort
+
??? abstract "Smbexec.py Service Installation"
Detects the use of smbexec.py tool by detecting a specific service installation
@@ -10131,6 +10162,36 @@ Rules catalog includes **841 built-in detection rules** ([_last update on 2024-0
- **Effort:** intermediate
+??? abstract "CrowdStrike Falcon Mobile Detection Critical Severity"
+
+ CrowdStrike Falcon for Mobile raised an alert with critical severity
+
+ - **Effort:** master
+
+??? abstract "CrowdStrike Falcon Mobile Detection High Severity"
+
+ CrowdStrike Falcon for Mobile raised an alert with high severity
+
+ - **Effort:** master
+
+??? abstract "CrowdStrike Falcon Mobile Detection Informational Severity"
+
+ CrowdStrike Falcon for Mobile raised an alert with informational severity
+
+ - **Effort:** master
+
+??? abstract "CrowdStrike Falcon Mobile Detection Low Severity"
+
+ CrowdStrike Falcon for Mobile raised an alert with low severity
+
+ - **Effort:** master
+
+??? abstract "CrowdStrike Falcon Mobile Detection Medium Severity"
+
+ CrowdStrike Falcon for Mobile raised an alert with medium severity
+
+ - **Effort:** master
+
??? abstract "Cryptomining"
Detection of domain names potentially related to cryptomining activities.
@@ -10173,6 +10234,12 @@ Rules catalog includes **841 built-in detection rules** ([_last update on 2024-0
- **Effort:** advanced
+??? abstract "Google Workspace External Sharing"
+
+ Detects a large number of external sharing.
+
+ - **Effort:** master
+
??? abstract "Koadic MSHTML Command"
Detects Koadic payload using MSHTML module
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
index 9cd4228766..4a845e3ae4 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
@@ -261,6 +261,36 @@ The following Sekoia.io built-in rules match the intake **CrowdStrike Falcon**.
- **Effort:** master
+??? abstract "CrowdStrike Falcon Mobile Detection Critical Severity"
+
+ CrowdStrike Falcon for Mobile raised an alert with critical severity
+
+ - **Effort:** master
+
+??? abstract "CrowdStrike Falcon Mobile Detection High Severity"
+
+ CrowdStrike Falcon for Mobile raised an alert with high severity
+
+ - **Effort:** master
+
+??? abstract "CrowdStrike Falcon Mobile Detection Informational Severity"
+
+ CrowdStrike Falcon for Mobile raised an alert with informational severity
+
+ - **Effort:** master
+
+??? abstract "CrowdStrike Falcon Mobile Detection Low Severity"
+
+ CrowdStrike Falcon for Mobile raised an alert with low severity
+
+ - **Effort:** master
+
+??? abstract "CrowdStrike Falcon Mobile Detection Medium Severity"
+
+ CrowdStrike Falcon for Mobile raised an alert with medium severity
+
+ - **Effort:** master
+
??? abstract "Csrss Child Found"
The csrss.exe process (csrss stands for Client / Server Runtime Subsystem) is a generic Windows process used to manage windows and Windows graphics. This process should not create a child process or it is very rare.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md
index 177bfa2122..19635000b4 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md
@@ -1825,7 +1825,7 @@ The following Sekoia.io built-in rules match the intake **Sekoia.io Endpoint Age
Detects remote service activity via remote access to the svcctl named pipe
- - **Effort:** advanced
+ - **Effort:** master
??? abstract "Remote Task Creation Via ATSVC Named Pipe"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
index 541af5fbde..d674a74a9b 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
@@ -2035,7 +2035,7 @@ The following Sekoia.io built-in rules match the intake **Windows**. This docume
Detects remote service activity via remote access to the svcctl named pipe
- - **Effort:** advanced
+ - **Effort:** master
??? abstract "Remote Task Creation Via ATSVC Named Pipe"
diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
index 3acb3f265b..cf0e20de98 100644
--- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md
+++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
@@ -1,6 +1,6 @@
# Built-in detection rules, EventIDs and EventProviders relations
SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture.
-This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-03-18_
+This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-03-22_
The colors of the EventIDs in this page should be interpreted as follow:
@@ -90,6 +90,7 @@ The colors of the EventIDs in this page should be interpreted as follow:
| Tenable Identity Exposure / Alsid Critical Severity Alert | master | 83820799 | |
| Windows Firewall Changes | master | 1 | Microsoft-Windows-Sysmon |
| Remote Registry Management Using Reg Utility | master | 5145 | Microsoft-Windows-Security-Auditing |
+| Remote Service Activity Via SVCCTL Named Pipe | master | 5145 | Microsoft-Windows-Security-Auditing |
| Tenable Identity Exposure / Alsid High Severity Alert | master | 79016668 | |
| Rubeus Register New Logon Process | master | 4611 | Microsoft-Windows-Security-Auditing |
| Netsh Port Opening | master | 1 | Microsoft-Windows-Sysmon |
@@ -127,6 +128,7 @@ The colors of the EventIDs in this page should be interpreted as follow:
| Dynwrapx Module Loading | advanced | 7 | Microsoft-Windows-Sysmon |
| Taskhostw Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
| PowerShell Invoke-Obfuscation Obfuscated IEX Invocation | advanced | 4104 | Microsoft-Windows-PowerShell |
+| Wmic Suspicious Commands | advanced | 5 | Kernel-Process |
| Suspicious Windows DNS Queries | advanced | 22 | Microsoft-Windows-Sysmon |
| Suspicious XOR Encoded PowerShell Command Line | advanced | 4104 | Microsoft-Windows-PowerShell |
| Windows Registry Persistence COM Search Order Hijacking | advanced | 13 | Microsoft-Windows-Sysmon |
@@ -199,7 +201,6 @@ The colors of the EventIDs in this page should be interpreted as follow:
| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | 7 | Microsoft-Windows-Sysmon |
| Legitimate Process Execution From Unusual Folder | advanced | 1, 5, 4688 | Microsoft-Windows-Sysmon |
| Taskhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Remote Service Activity Via SVCCTL Named Pipe | advanced | 5145 | Microsoft-Windows-Security-Auditing |
| Rare Logonui Child Found | advanced | 1 | Microsoft-Windows-Sysmon |
| Microsoft Office Product Spawning Windows Shell | advanced | 1 | Microsoft-Windows-Sysmon |
| Wmiprvse Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
@@ -470,29 +471,29 @@ The colors of the EventIDs in this page should be interpreted as follow:
| Suspicious Netsh DLL Persistence | elementary | 1 | Microsoft-Windows-Sysmon |
## EventIDs occurences in rules
-| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 456) |
+| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 457) |
| ------- | ------------------------- | ------------------------------------------------------ |
-| 1 | 224 | 49.12 % |
-| 13 | 45 | 9.87 % |
-| 4104 | 43 | 9.43 % |
-| 11 | 20 | 4.39 % |
-| 5 | 18 | 3.95 % |
-| 7 | 15 | 3.29 % |
+| 1 | 224 | 49.02 % |
+| 13 | 45 | 9.85 % |
+| 4104 | 43 | 9.41 % |
+| 11 | 20 | 4.38 % |
+| 5 | 19 | 4.16 % |
+| 7 | 15 | 3.28 % |
| 7045 | 11 | 2.41 % |
| 5145 | 11 | 2.41 % |
| 15 | 8 | 1.75 % |
| 4656 | 8 | 1.75 % |
-| 4688 | 7 | 1.54 % |
-| 3 | 7 | 1.54 % |
-| 98 | 6 | 1.32 % |
-| 4663 | 6 | 1.32 % |
-| 10 | 6 | 1.32 % |
-| 4697 | 6 | 1.32 % |
-| 4662 | 6 | 1.32 % |
-| 17 | 6 | 1.32 % |
-| 5136 | 6 | 1.32 % |
-| 1116 | 5 | 1.1 % |
-| 4624 | 5 | 1.1 % |
+| 4688 | 7 | 1.53 % |
+| 3 | 7 | 1.53 % |
+| 98 | 6 | 1.31 % |
+| 4663 | 6 | 1.31 % |
+| 10 | 6 | 1.31 % |
+| 4697 | 6 | 1.31 % |
+| 4662 | 6 | 1.31 % |
+| 17 | 6 | 1.31 % |
+| 5136 | 6 | 1.31 % |
+| 1116 | 5 | 1.09 % |
+| 4624 | 5 | 1.09 % |
| 64 | 4 | 0.88 % |
| 22 | 4 | 0.88 % |
| 4625 | 3 | 0.66 % |
@@ -577,12 +578,12 @@ The colors of the EventIDs in this page should be interpreted as follow:
| 4732 | 1 | 0.22 % |
## EventProviders occurences in rules
-| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 456) |
+| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 457) |
| ------- | ------------------------- | ------------------------------------------------------ |
-| Microsoft-Windows-Sysmon | 292 | 64.04 % |
-| Microsoft-Windows-Security-Auditing | 70 | 15.35 % |
-| Microsoft-Windows-PowerShell | 46 | 10.09 % |
-| Kernel-Process | 26 | 5.7 % |
+| Microsoft-Windows-Sysmon | 292 | 63.89 % |
+| Microsoft-Windows-Security-Auditing | 70 | 15.32 % |
+| Microsoft-Windows-PowerShell | 46 | 10.07 % |
+| Kernel-Process | 27 | 5.91 % |
| Service Control Manager | 11 | 2.41 % |
| Microsoft-Windows-Windows Defender | 9 | 1.97 % |
| Microsoft-Windows-Kernel-File | 4 | 0.88 % |
@@ -601,9 +602,9 @@ The colors of the EventIDs in this page should be interpreted as follow:
| Microsoft-Windows-Kernel-General | 1 | 0.22 % |
## EffortLevel x EventIDs
-| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 456 |
+| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 457 |
| ------------ | -------- | ----------------------- | ------------------------------------------------------- |
-| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 22, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4726, 4727, 4728, 4729, 4730, 4732, 4743, 4754, 4756, 4757, 4758, 4764, 5007, 5140, 5145, 64, 7, 770, 771, 79016668, 8001, 83820799, 98 | 90 | 19.74 % |
-| advanced | 1, 10, 1006, 1007, 1008, 1015, 11, 1116, 1117, 1118, 1119, 1125, 1126, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5136, 5145, 5154, 5156, 6416, 7, 7045, 8 | 114 | 25.0 % |
-| intermediate | 1, 10, 1000, 1031, 1032, 1033, 1034, 11, 1102, 1116, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 47, 4720, 4738, 4741, 4742, 4794, 4825, 5, 5136, 5145, 517, 524, 6, 7, 7045 | 166 | 36.4 % |
-| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4656, 4663, 4688, 4697, 4704, 4720, 5, 5136, 6, 7, 7045, 8 | 86 | 18.86 % |
\ No newline at end of file
+| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 22, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4726, 4727, 4728, 4729, 4730, 4732, 4743, 4754, 4756, 4757, 4758, 4764, 5007, 5140, 5145, 64, 7, 770, 771, 79016668, 8001, 83820799, 98 | 91 | 19.91 % |
+| advanced | 1, 10, 1006, 1007, 1008, 1015, 11, 1116, 1117, 1118, 1119, 1125, 1126, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5136, 5145, 5154, 5156, 6416, 7, 7045, 8 | 114 | 24.95 % |
+| intermediate | 1, 10, 1000, 1031, 1032, 1033, 1034, 11, 1102, 1116, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 47, 4720, 4738, 4741, 4742, 4794, 4825, 5, 5136, 5145, 517, 524, 6, 7, 7045 | 166 | 36.32 % |
+| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4656, 4663, 4688, 4697, 4704, 4720, 5, 5136, 6, 7, 7045, 8 | 86 | 18.82 % |
\ No newline at end of file